According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? A victim user would have to click the stored XSS payload injected by the attacker to be compromised. According to the CVSS metric, confidentiality impact is low (C:L) but Integrity and Availability are High (I:H, A:H). What does that mean for this vulnerability? An attacker who successfully exploited this vulnerability could potentially view sensitive data and perform operations on the targeted Service Fabric cluster, which could impact data integrity or availability. How can I update my Service Fabric Cluster to the latest version? If you have automatic updates, no action is needed. However, for those who choose to manually update, please refer to Manage Service Fabric cluster upgrades for instructions on how to update your Service Fabric Cluster. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? The vulnerability is in the web client, but the malicious scripts executed in the victim’s browser translate into actions executed in the (remote) cluster. According to the CVSS metric, the attack complexity is high (AC:H) and privileges required is none (PR:N). What does that mean for this vulnerability? For this vulnerability to be successfully exploited, an unauthenticated attacker would have convince or trick the victim to click through a sequence of multiple events.
Lidor B. with Orca Security