Connect with us

Hi, what are you looking for?


Cloud Security

XSS Vulnerabilities in Azure Led to Unauthorized Access to User Sessions

Microsoft addressed two cross-site scripting (XSS) vulnerabilities in Azure Bastion and Azure Container Registry (ACR) leading to unauthorized access to user sessions.

Two cross-site scripting (XSS) vulnerabilities in Azure Bastion and Azure Container Registry (ACR) could have led to unauthorized access to user sessions, data tampering, and service disruptions, cloud security firm Orca warns.

The issues, resolved in April and May 2023, existed because of a weakness in the postMessage iframe, allowing an attacker to “embed endpoints within remote servers using the iframe tag” and execute malicious JavaScript code.

In Azure Bastion, which acts as a hardened gateway to provide access to virtual machines by creating a private remote desktop protocol (RDP) or secure shell (SSH) session between the local machine and the Azure VM, the vulnerability existed in the Azure Network Watcher connection troubleshooter.

Due to incorrectly implemented validation checks, an attacker could craft an HTML page that, once rendered in the victim’s browser, would lead to code execution.

According to Orca, multiple security weaknesses contributed to the vulnerability, allowing an attacker to automate the execution of a malicious SVG payload on behalf of the victim.

In the case of Azure Container Registry, the vulnerability existed in an HTML code snippet in an unused web page as part of ACR’s Azure Portal extension. Orca’s testing identified the HTML file that allowed for code injection.

A managed cloud service, Azure Container Registry allows users to deploy, manage, and store container images from a centralized location.

Advertisement. Scroll to continue reading.

Orca discovered that the portal’s main page contained an iframe communicating with postMessages with an HTML file. The communication method was then found to be susceptible to exploitation, because of a missing origin check.

Orca reported the XSS in Azure Bastion to Microsoft in April and the XSS in the Azure Container Registry in May. Microsoft resolved both issues after being able to reproduce them.

“For Azure Bastion, the underlying Network Watcher file that incorrectly performed its origin check was updated to remove the vulnerable line of code. For Azure Container Registry, the ACR engineering team removed the vulnerable file after determining the vulnerable HTML page was legacy code and not actually used as part of the current Azure Portal experience,” Microsoft explains.

The tech giant says that it has no evidence of any of these vulnerabilities being exploited in attacks, beyond the proof-of-concept (PoC) code that Orca provided to demonstrate them.

Related: Azure API Management Vulnerabilities Allowed Unauthorized Access

Related: Microsoft Azure Users Warned of Potential Shared Key Authorization Abuse

Related: Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...