Researchers Uncover XSS Vulnerabilities in Azure Services

Written by

Cybersecurity experts at Orca Security have identified two critical cross-site scripting (XSS) vulnerabilities in Microsoft Azure services.

The flaws, which exploited a weakness in the postMessage iframe, could have exposed Azure users to potential security breaches. 

The vulnerabilities were found in Azure Bastion and Azure Container Registry – two commonly used services in the Azure ecosystem. 

“Despite several Azure security enhancements to mitigate the postMessage iframe XSS vulnerability, we still managed to uncover two Azure services – Azure Bastion and Azure Container Registry – that were exploitable via this vulnerability,” Orca wrote in a report published today.

The first of these lies in the mishandling of the postMessage handler, which allowed attackers to exploit three distinct postMessage cases. 

By sending a specially crafted postMessage, attackers could execute malicious scripts, potentially compromising user sessions and sensitive data.

Meanwhile, the Azure Container Registry flaw allowed attackers to inject and execute arbitrary scripts within the context of the container registry.

This enabled them to manipulate the behavior of the affected web application and potentially steal sensitive information or perform unauthorized actions.

“The vulnerabilities allowed unauthorized access to the victim’s session within the compromised Azure service iframe, which can lead to severe consequences, including unauthorized data access, unauthorized modifications, and disruption of the Azure services iframes,” Orca wrote.

Read more on XSS attacks: ConnectWise Fixes XSS Vulnerability that Could Lead to Remote Code Execution

The company promptly reported the vulnerabilities to Microsoft: “Upon discovery of these vulnerabilities, we immediately informed the Microsoft Security Response Center (MSRC), who were able to reproduce the issues.”

“Both vulnerabilities have now been fixed and verified – with no further action required by Azure users,” reads the report.

Its publication comes three months after Orca Security disclosed information about a separate flaw in Microsoft’s Azure Service Fabric Explorer (SFX) they called “Super FabriXss.”

Editorial image credit: Postmodern Studio /

What’s hot on Infosecurity Magazine?