Description
Improper neutralization of input during web page generation ('cross-site scripting') in Azure Cosmos DB allows an unauthorized attacker to perform spoofing over a network.
Published: 2025-12-18
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting leading to user spoofing
Action: Apply patch
AI Analysis

Impact

Azure Cosmos DB contains an improper neutralization of input during web page generation. This cross‑site scripting flaw allows an attacker to inject malicious scripts that are rendered in a web page context and executed by browsers of legitimate users, enabling the attacker to forge UI elements or impersonate other users. The vulnerability is identified as CWE‑79 and primarily threatens the integrity and trust of user interfaces rather than directly compromising data confidentiality or availability.

Affected Systems

The affected product is Microsoft Azure Cosmos DB. No specific affected version ranges are listed in the advisory; administrators should verify that their deployment is running a version that has received the latest security update from Microsoft.

Risk and Exploitability

The CVSS score of 8.3 classifies this as a high‑severity vulnerability. The EPSS score of less than 1% suggests a very low likelihood of widespread exploitation, and the vulnerability is not currently listed in the CISA KEV catalog. An attacker would need to send specially crafted input to Azure Cosmos DB that is subsequently reflected in a web page viewed by a user. Once the malicious script runs, the attacker can perform spoofing actions such as framing or deceiving users. Because the exploitation path requires network access to the database service, it is not trivially deployable but remains a serious risk for exposed instances.

Generated by OpenCVE AI on April 20, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install the latest Microsoft patch for Azure Cosmos DB as soon as it becomes available.
  • Apply strict input validation and output encoding to any data that may be displayed on web pages, following XSS mitigation guidelines associated with CWE‑79.
  • Deploy a web application firewall or Azure Front Door rule set to detect and block suspicious script payloads and monitor HTTP traffic for signs of injection attempts.

Generated by OpenCVE AI on April 20, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft azure Cosmos Db
CPEs cpe:2.3:a:microsoft:azure_cosmos_db:-:*:*:*:*:*:*:*
Vendors & Products Microsoft azure Cosmos Db

Fri, 19 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 23:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Azure Cosmos DB allows an unauthorized attacker to perform spoofing over a network.
Title Azure Cosmos DB Spoofing Vulnerability
First Time appeared Microsoft
Microsoft cosmos Db
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:cosmos_db:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft cosmos Db
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Cosmos Db Cosmos Db
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-16T14:19:06.437Z

Reserved: 2025-11-06T23:40:37.277Z

Link: CVE-2025-64675

cve-icon Vulnrichment

Updated: 2025-12-19T15:12:36.368Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-19T00:15:52.933

Modified: 2026-01-16T17:25:03.713

Link: CVE-2025-64675

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:45:10Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')