More details have been revealed on a set of cross-site scripting (XSS) vulnerabilities now fixed in the Microsoft Azure HDInsight open source analytics service that could be used by a malicious actor to carry out malicious activities.
“The vulnerabilities identified consisted of six stored XSS vulnerabilities and two reflected XSS vulnerabilities, each of which could be exploited to perform unauthorized actions, ranging from data access to session hijacking and delivery of malicious payloads,” it said. Lidor Ben Shitrit, security researcher at Orca. said in a report shared with The Hacker News.
The issues were addressed by Microsoft as part of its August 2023 Patch Tuesday updates.
The disclosure comes three months after similar flaws were reported in Azure Bastion and Azure Container Registry that could have been exploited for unauthorized data access and modifications.
The list of faults is as follows –
- CVE-2023-35393 (CVSS score: 4.5) – Identity theft vulnerability in Azure Apache Hive
- CVE-2023-35394 (CVSS score: 4.6) – Azure HDInsight Jupyter Notebook Impersonation Vulnerability
- CVE-2023-36877 (CVSS score: 4.5) – Identity theft vulnerability in Azure Apache Oozie
- CVE-2023-36881 (CVSS score: 4.5) – Identity theft vulnerability in Azure Apache Ambari
- CVE-2023-38188 (CVSS score: 4.5) – Identity theft vulnerability in Azure Apache Hadoop
“An attacker would have to send the victim a malicious file that the victim would have to execute,” Microsoft noted in its bug advisories. “An authorized attacker with guest privileges must send a victim a malicious site and convince them to open it.”
XSS attacks occur when an adversary injects malicious scripts into a legitimate website, which are then executed on victims’ web browsers when visiting the site. While reflected XSS targets users who are tricked into clicking on a fraudulent link, stored XSS is embedded in a web page and affects all users who access it.
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Find out why identity is the new endpoint. Reserve your place now.
The cloud security company said all the flaws stem from a lack of proper input sanitization, which allows malicious characters to be displayed when loading the dashboard.
“These weaknesses collectively allow an attacker to inject and execute malicious scripts when stored data is retrieved and displayed to users,” Ben Shitrit noted, urging organizations to implement input validation and coding adequate output to “ensure that user-generated data is properly cleaned.” before being displayed on web pages.”