Cloud security company Orca has alerted about two cross-site scriptings (XSS) vulnerabilities in Azure Bastion and ACR. These vulnerabilities, which were addressed in April and May 2023, could result in unauthorized access to user sessions, manipulation of data, and disruptions to services. The vulnerabilities stemmed from a flaw in the postMessage iframe, enabling attackers to implant endpoints on remote servers using the iframe tag and execute malicious JavaScript code.
Specifically, the vulnerability in Azure Bastion was found within the Azure Network Watcher connection troubleshooter, which serves as a secure gateway to facilitate access to virtual machines by establishing private RDP or SSH sessions between the local machine and the Azure VM.
Read More: XSS Vulnerabilities in Azure Led to Unauthorized Access to User Sessions
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.