More details have emerged about a set of now-patched cross-site scripting (XSS) flaws in the Microsoft Azure HDInsight open-source analytics service that could be weaponized by a threat actor to carry out malicious activities.
"The identified vulnerabilities consisted of six stored XSS and two reflected XSS vulnerabilities, each of which could be exploited to perform unauthorized actions, varying from data access to session hijacking and delivering malicious payloads," Orca security researcher Lidor Ben Shitrit said in a report shared with The Hacker News.
The issues were addressed by Microsoft as part of its Patch Tuesday updates for August 2023.
The disclosure comes three months after similar shortcomings were reported in the Azure Bastion and Azure Container Registry that could have been exploited for unauthorized data access and modifications.
The list of flaws is as follows -
- CVE-2023-35393 (CVSS score: 4.5) - Azure Apache Hive Spoofing Vulnerability
- CVE-2023-35394 (CVSS score: 4.6) - Azure HDInsight Jupyter Notebook Spoofing Vulnerability
- CVE-2023-36877 (CVSS score: 4.5) - Azure Apache Oozie Spoofing Vulnerability
- CVE-2023-36881 (CVSS score: 4.5) - Azure Apache Ambari Spoofing Vulnerability
- CVE-2023-38188 (CVSS score: 4.5) - Azure Apache Hadoop Spoofing Vulnerability
"An attacker would have to send the victim a malicious file that the victim would have to execute," Microsoft noted in its advisories for the bugs. "An authorized attacker with guest privileges must send a victim a malicious site and convince them to open it."
XSS attacks occur when an adversary injects rogue scripts into a legitimate website, which subsequently get executed on victims' web browsers when visiting the site. While reflected XSS targets users who are tricked into clicking on a fraudulent link, Stored XSS is embedded in a web page and affects all users accessing it.
The cloud security firm said that all the flaws stem from a lack of proper input sanitization that makes it possible to render malicious characters upon loading the dashboard.
"These weaknesses collectively allow an attacker to inject and execute malicious scripts when the stored data is retrieved and displayed to users," Ben Shitrit noted, urging organizations to implement adequate input validation and output encoding to "ensure that user-generated data is properly sanitized before being displayed in web pages."
