high

XSS in Azure Bastion and Container Registry

Published Wed, Jun 14th, 2023
Platforms

Summary

Orca discovered vulnerabilities in Azure Bastion and Azure Container Registry that could have enabled an attacker to achieve Cross-Site Scripting (XSS) by using iframe postMessages. The vulnerabilities allowed embedding of endpoints within remote attacker-controlled servers using the iframe tag, thereby granting unauthorized access to the victim’s session in the affected service if they were tricked into navigating to an attacker-controlled website. The root cause was that certain web pages in the Bastion and Container Registry customer-facing portals allowed embedding of iframes in remote servers, meaning they were not using mitigations such as the X-Frame-Options header or the frame-ancestors directive in a Content Security Policy (CSP), which would have prevented these issues.

Affected Services

Azure Bastion, Azure Container Registry

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Entry Status
Finalized
Disclosure Date
Thu, Apr 13th, 2023
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
8.63
(PI:1.5/A1:20/A2:1.1/A7:1.1/A8:0.9)
Discovered by
Lidor Ben Shitrit, Orca Security