Threat actors could leverage eight cross-site scripting vulnerabilities impacting the Microsoft Azure HDInsight analytics service to facilitate various malicious activities, including session hijacking, data compromise, and malware delivery, The Hacker News reports.
All of the vulnerabilities which include the Azure Apache Hive spoofing flaw, tracked as CVE-2023-35393, the Azure HDInsight Jupyter Notebook spoofing bug, tracked as CVE-2023-35394, and the Azure Apache Ambari spoofing flaw, tracked as CVE-2023-36881, among others have been addressed by Microsoft as part of this month's Patch Tuesday updates.
Microsoft noted that exploiting the vulnerabilities requires attackers with guest privileges to deliver a malicious file, which would need to be executed by the recipient.
"These weaknesses collectively allow an attacker to inject and execute malicious scripts when the stored data is retrieved and displayed to users," said Orca security researcher Lidor Ben Shitrit, who emphasized the importance of sufficient input validation and output encoding to prevent compromise.
Cloud Security
New Microsoft Azure HDInsight flaws identified
Share
An In-Depth Guide to Cloud Security
Get essential knowledge and practical strategies to fortify your cloud security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news