An authorized user can supply malicious input that is not properly neutralized during web page generation in Azure HDInsight, resulting in cross‑site scripting. The attacker can exploit this flaw to inject scripts that masquerade as legitimate content, enabling spoofing of the HDInsight web interface and potentially misleading both users and administrators. The primary vulnerability is a classic XSS flaw (CWE‑79), which can lead to execution of arbitrary code in the victim’s browser and may facilitate further attacks such as session hijacking or phishing within the HDInsight environment.

Microsoft Azure HDInsight service is affected. The CVE does not specify particular product versions or build numbers, so any deployed Azure HDInsight cluster that has not been updated after the release of the relevant Microsoft patch may be vulnerable.

The CVSS score of 5.7 indicates a moderate severity, and the EPSS value of less than 1% reflects a very low probability of exploitation. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Exploitation requires authorized credentials and the ability to submit user‑controlled input to the HDInsight web application; with such access, an attacker can craft malicious scripts and induce spoofed content to be rendered in the browser. Overall risk is moderate with a low likelihood of widespread attacks pending an active exploit.