More details have emerged about a set of now-patched cross-site scripting (XSS) flaws in the You must be logged in to see this link. open-source analytics service that could be weaponized by a threat actor to carry out malicious activities.
"The identified vulnerabilities consisted of six stored XSS and two reflected XSS vulnerabilities, each of which could be exploited to perform unauthorized actions, varying from data access to session hijacking and delivering malicious payloads," Orca security researcher Lidor Ben Shitrit You must be logged in to see this link. in a report shared with The Hacker News.
The issues were addressed by Microsoft as part of its You must be logged in to see this link. for August 2023.
The disclosure comes three months after similar shortcomings were reported in the You must be logged in to see this link. that could have been exploited for unauthorized data access and modifications.
The list of flaws is as follows -
XSS attacks occur when an adversary injects rogue scripts into a legitimate website, which subsequently get executed on victims' web browsers when visiting the site. While reflected XSS targets users who are tricked into clicking on a fraudulent link, Stored XSS is embedded in a web page and affects all users accessing it.
The cloud security firm said that all the flaws stem from a lack of proper input sanitization that makes it possible to render malicious characters upon loading the dashboard.
"These weaknesses collectively allow an attacker to inject and execute malicious scripts when the stored data is retrieved and displayed to users," Ben Shitrit noted, urging organizations to implement adequate input validation and output encoding to "ensure that user-generated data is properly sanitized before being displayed in web pages.
"The identified vulnerabilities consisted of six stored XSS and two reflected XSS vulnerabilities, each of which could be exploited to perform unauthorized actions, varying from data access to session hijacking and delivering malicious payloads," Orca security researcher Lidor Ben Shitrit You must be logged in to see this link. in a report shared with The Hacker News.
The issues were addressed by Microsoft as part of its You must be logged in to see this link. for August 2023.
The disclosure comes three months after similar shortcomings were reported in the You must be logged in to see this link. that could have been exploited for unauthorized data access and modifications.
The list of flaws is as follows -
- You must be logged in to see this link. (CVSS score: 4.5) - Azure Apache Hive Spoofing Vulnerability
- You must be logged in to see this link. (CVSS score: 4.6) - Azure HDInsight Jupyter Notebook Spoofing Vulnerability
- You must be logged in to see this link. (CVSS score: 4.5) - Azure Apache Oozie Spoofing Vulnerability
- You must be logged in to see this link. (CVSS score: 4.5) - Azure Apache Ambari Spoofing Vulnerability
- You must be logged in to see this link. (CVSS score: 4.5) - Azure Apache Hadoop Spoofing Vulnerability
XSS attacks occur when an adversary injects rogue scripts into a legitimate website, which subsequently get executed on victims' web browsers when visiting the site. While reflected XSS targets users who are tricked into clicking on a fraudulent link, Stored XSS is embedded in a web page and affects all users accessing it.
The cloud security firm said that all the flaws stem from a lack of proper input sanitization that makes it possible to render malicious characters upon loading the dashboard.
"These weaknesses collectively allow an attacker to inject and execute malicious scripts when the stored data is retrieved and displayed to users," Ben Shitrit noted, urging organizations to implement adequate input validation and output encoding to "ensure that user-generated data is properly sanitized before being displayed in web pages.