VDB

GCVE-110-CLOUD-2023-0029

GCVE-110-CLOUD-2023-0029
Advisory Published
Vulnetix · Advisory published June 14, 2023
Orca discovered vulnerabilities in Azure Bastion and Azure Container Registry that could have enabled an attacker to achieve Cross-Site Scripting (XSS) by using iframe postMessages. The vulnerabilities allowed embedding of endpoints within remote attacker-controlled servers using the iframe tag, thereby granting unauthorized access to the victim’s session in the affected service if they were tricked into navigating to an attacker-controlled website. The root cause was that certain web pages in the Bastion and Container Registry customer-facing portals allowed embedding of iframes in remote servers, meaning they were not using mitigations such as the X-Frame-Options header or the frame-ancestors directive in a Content Security Policy (CSP), which would have prevented these issues.

Affected Products

VendorProductVersionsPlatforms
AzureContainer Registry
AzureCloud Services
AzureAzure Bastion, Azure Container Registry

References

advisory
advisory

Browse GCVE Records

73,196 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›