"Researchers Detail Azure SFX Flaw That Could've Allowed Attackers to Gain Admin Access"

More information has been shared by cybersecurity researchers about a now-patched security flaw in Azure Service Fabric Explorer (SFX) that could potentially allow an attacker to gain administrator privileges on the cluster. The vulnerability, tracked as CVE-2022-35829, has a CVSS severity rating of 6.2 and was addressed by Microsoft in recent Patch Tuesday updates. The vulnerability was dubbed FabriXss by Orca Security, which discovered and reported it to the tech giant on August 11, 2022. It affects Azure Fabric Explorer versions 8.1.316 and earlier. Microsoft describes SFX as an open-source tool for inspecting and managing Azure Service Fabric clusters, which is a distributed systems platform used to build and deploy microservices-based cloud applications. The flaw stems from the fact that a user with "Create Compose Application" permissions via the SFX client can use the privileges to create a rogue app and exploit a stored cross-site scripting (XSS) flaw in the "Application name" field to slip the payload. This article continues to discuss the potential exploitation and impact of the Azure SFX flaw.

THN reports "Researchers Detail Azure SFX Flaw That Could've Allowed Attackers to Gain Admin Access"