Headline
CVE-2024-38201: Azure Stack Hub Elevation of Privilege Vulnerability
According to the CVSS metric, the attack complexity is high (AC:H) and user interaction is required (UI:R). What does that mean for this vulnerability?
An attacker would need to trick the user to transfer a malicious JSON file and hope that user does not open and review it. If the user opens it, the user will see an invalid URL and not import it for his dashboard. But in a scenario where the user does import the malicious JSON file, the portal will not immediately send a token. Only in a corner case that a user configures the dashboard again from the portal will there be a token leak.