Couple vulnerabilities here, the first bad regex allowing for the origin validation on cross-origin messages to be bypass. The second is a pair of innerHTML assignments with data from a cross-origin message.

The first issue was in one of the several regex patterns used to validate the origin of a cross-origin message. The vulnerable regex pattern was: ^https://cosmos-db-dataexplorer-germanycentral.azurewebsites.de$. If you’ve followed our weekly spot the vulns you might recognize this bug pattern. The unescaped . characters in regex will match any character, not just the literal . character. An attacker could register one of many domains and be able to bypass the filter.

With the ability to send cross-origin messages that would pass the validation, cross-site scripting was fairly easy. A chart would be insecurely generated based on the data of the message, and the CORS header allowed for inline scripts.

chartTitleElement.innerHTML = data.chartSettings.chartTitle;
/* ... */
noDataMessageContent.innerHTML = data.errorMessage;
/* ... */
document.getElementById(Heatmap.elementId)!.appendChild(chartTitleElement);
document.getElementById(Heatmap.elementId)!.appendChild(noDataMessageElement);