medium

Super FabriXss

Published Tue, Mar 14th, 2023

Platforms

Summary

Azure Service Fabric Explorer (SFX) was affected by an XSS vulnerability that could have allowed a malicious script to be reflected off a web application. After a potential victim clicked on a crafted malicious URL, the attacker could remotely toggle the ‘Cluster’ Event Type setting under the Events tab. This could lead to unauthenticated remote code execution on a container hosted on a Service Fabric node.

Affected Services

Azure Service Fabric Explorer (SFX)

Remediation

None required

Tracked CVEs

CVE-2023-23383

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23383 https://orca.security/resources/blog/super-fabrixss-azure-vulnerability/

Contributed by https://github.com/mer-b

Disclosure Date

Tue, Dec 20th, 2022

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Lidor Ben Shitrit, Orca Security

More vulnerabilities...

medium

Overprivileged CodeBuild default ECR IAM policy

For AWS CodeBuild, when using a custom container image stored in ECR and the project service role for the credentials to pull the image, the default IAM policy attached to the role to allow pulli...

Will Deane, ASX Consulting

Sat, Feb 25th, 2023

critical

Azure AD B2C cryptographic flaw allowing account compromise

Azure Active Directory B2C service (AD B2C) mistakenly implemented RSA key authentication using the public part of the key pair instead of the private one. This cryptographic flaw could have allowe...

John Novak, Praetorian

Wed, Feb 15th, 2023

medium

Azure App Service on Azure Stack Hub privilege escalation

A privilege escalation vulnerability was discovered in Azure App Service on Azure Stack Hub (an on-prem private cloud offering). To exploit this vulnerability, an attacker must have access to the t...

Ruslan Sayfiev, Denis Faius...

Tue, Feb 14th, 2023

View all