CVE-2024-30053: Azure Migrate Cross-Site Scripting Vulnerability

Overview

Severity

Medium (CVSS 6.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2024-May

Released

2024-05-14

Last Updated

2024-05-15

EPSS Score

1.44% (percentile: 80.7%)

FAQ

What actions do customers need to take to protect themselves from this vulnerability? The vulnerability has been mitigated by the latest change to the Azure Migrate Appliance. See here for information on how to ensure your Azure Migrate Appliance can get the latest Azure Migrate Agent and ConfigManager updates. According to the CVSS metric, the attack vector is Network (AV:N), the attack complexity is Low (AC:L) and the privileges required is None (PR:L). What does this mean for this vulnerability? An authenticated attacker could store a malicious JavaScript code in a parameter. This payload would get stored and execute a Stores-XSS when the webpage is rendered.

Affected Products (1)

Azure

• Azure Migrate

Security Updates (1)

• Release Notes

Acknowledgments

Andrea Piazza

Revision History

• 2024-05-14: Information published.
• 2024-05-15: Updated FAQ information. This is an informational change only.