VDB
GCVE-110-CLOUD-2023-0029
GCVE-110-CLOUD-2023-0029
Advisory Published
Orca discovered vulnerabilities in Azure Bastion and Azure Container Registry
that could have enabled an attacker to achieve Cross-Site Scripting (XSS) by
using iframe postMessages. The vulnerabilities allowed embedding of endpoints
within remote attacker-controlled servers using the iframe tag, thereby granting
unauthorized access to the victim’s session in the affected service if they
were tricked into navigating to an attacker-controlled website. The root cause
was that certain web pages in the Bastion and Container Registry customer-facing
portals allowed embedding of iframes in remote servers, meaning they were not
using mitigations such as the X-Frame-Options header or the frame-ancestors
directive in a Content Security Policy (CSP), which would have prevented these issues.
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Azure | Container Registry | — | — |
| Azure | Cloud Services | — | — |
| Azure | Azure Bastion, Azure Container Registry | — | — |
Browse GCVE Records
73,196 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.