Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Cloud Security

XSS Vulnerabilities in Azure Led to Unauthorized Access to User Sessions

Microsoft addressed two cross-site scripting (XSS) vulnerabilities in Azure Bastion and Azure Container Registry (ACR) leading to unauthorized access to user sessions.

Two cross-site scripting (XSS) vulnerabilities in Azure Bastion and Azure Container Registry (ACR) could have led to unauthorized access to user sessions, data tampering, and service disruptions, cloud security firm Orca warns.

The issues, resolved in April and May 2023, existed because of a weakness in the postMessage iframe, allowing an attacker to “embed endpoints within remote servers using the iframe tag” and execute malicious JavaScript code.

In Azure Bastion, which acts as a hardened gateway to provide access to virtual machines by creating a private remote desktop protocol (RDP) or secure shell (SSH) session between the local machine and the Azure VM, the vulnerability existed in the Azure Network Watcher connection troubleshooter.

Due to incorrectly implemented validation checks, an attacker could craft an HTML page that, once rendered in the victim’s browser, would lead to code execution.

According to Orca, multiple security weaknesses contributed to the vulnerability, allowing an attacker to automate the execution of a malicious SVG payload on behalf of the victim.

In the case of Azure Container Registry, the vulnerability existed in an HTML code snippet in an unused web page as part of ACR’s Azure Portal extension. Orca’s testing identified the HTML file that allowed for code injection.

A managed cloud service, Azure Container Registry allows users to deploy, manage, and store container images from a centralized location.

Orca discovered that the portal’s main page contained an iframe communicating with postMessages with an HTML file. The communication method was then found to be susceptible to exploitation, because of a missing origin check.

Advertisement. Scroll to continue reading.

Orca reported the XSS in Azure Bastion to Microsoft in April and the XSS in the Azure Container Registry in May. Microsoft resolved both issues after being able to reproduce them.

“For Azure Bastion, the underlying Network Watcher file that incorrectly performed its origin check was updated to remove the vulnerable line of code. For Azure Container Registry, the ACR engineering team removed the vulnerable file after determining the vulnerable HTML page was legacy code and not actually used as part of the current Azure Portal experience,” Microsoft explains.

The tech giant says that it has no evidence of any of these vulnerabilities being exploited in attacks, beyond the proof-of-concept (PoC) code that Orca provided to demonstrate them.

Related: Azure API Management Vulnerabilities Allowed Unauthorized Access

Related: Microsoft Azure Users Warned of Potential Shared Key Authorization Abuse

Related: Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights