More details have emerged about a set of now-patched cross-site scripting (XSS) flaws in the Microsoft Azure HDInsight open-source analytics service that could be weaponized by a threat actor to carry out malicious activities.
The disclosure comes three months after similar shortcomings were reported in the Azure Bastion and Azure Container Registry that could have been exploited for unauthorized data access and modifications.
The list of flaws is as follows –
XSS attacks occur when an adversary injects rogue scripts into a legitimate website, which subsequently get executed on victims’ web browsers when visiting the site. While reflected XSS targets users who are tricked into clicking on a fraudulent link, Stored XSS is embedded in a web page and affects all users accessing it.
The cloud security firm said that all the flaws stem from a lack of proper input sanitization that makes it possible to render malicious characters upon loading the dashboard.
“These weaknesses collectively allow an attacker to inject and execute malicious scripts when the stored data is retrieved and displayed to users,” Ben Shitrit noted, urging organizations to implement adequate input validation and output encoding to “ensure that user-generated data is properly sanitized before being displayed in web pages.”
Source: https://thehackernews.com/
