New Microsoft Azure HDInsight flaws identified

Threat actors could leverage eight cross-site scripting vulnerabilities impacting the Microsoft Azure HDInsight analytics service to facilitate various malicious activities, including session hijacking, data compromise, and malware delivery, The Hacker News reports. All of the vulnerabilities which include the Azure Apache Hive spoofing flaw, tracked as CVE-2023-35393, the Azure HDInsight Jupyter Notebook spoofing bug, tracked as CVE-2023-35394, and the Azure Apache Ambari spoofing flaw, tracked as CVE-2023-36881, among others have been addressed by Microsoft as part of this month's Patch Tuesday updates. Microsoft noted that exploiting the vulnerabilities requires attackers with guest privileges to deliver a malicious file, which would need to be executed by the recipient. "These weaknesses collectively allow an attacker to inject and execute malicious scripts when the stored data is retrieved and displayed to users," said Orca security researcher Lidor Ben Shitrit, who emphasized the importance of sufficient input validation and output encoding to prevent compromise.