The bugs, which took use of a postMessage iframe hole, might have exposed Azure customers to security risks. Two frequently used services in the Azure ecosystem, Azure Bastion and Azure Container Registry, were found to be vulnerable.
“We still managed to uncover two Azure services - Azure Bastion and Azure Container Registry - that were exploitable via this vulnerability,” Orca stated in a research released today. “This is despite several Azure security enhancements to mitigate the postMessage iframe XSS vulnerability.”