Microsoft Confirms 900+ XSS Vulnerabilities Found in IT Services, Ranging from Low Impact to Zero-Click

Of all the vulnerabilities that plague modern applications, Cross-Site Scripting (XSS) is one of the oldest and most persistent.

Despite being a known threat for over two decades, XSS continues to appear in everything from legacy systems to new, cloud-native architectures.

The Microsoft Security Response Center (MSRC) recently highlighted the enduring nature of this threat, revealing that it continues to receive a steady stream of XSS reports across its wide range of services and applications.

In a recent report, the MSRC shared insights into the prevalence and impact of XSS vulnerabilities, emphasizing that even with advanced security measures like Content Security Policies (CSP) and secure-by-default libraries, the threat remains significant.

Since January 2024, the MSRC has mitigated more than 970 XSS cases, demonstrating the consistent effort required to manage this vulnerability class.

XSS By The Numbers

Between July 2024 and July 2025, XSS vulnerabilities accounted for 15% of all “Important” or “Critical” security cases handled by the MSRC.

During this period, the center addressed 265 specific XSS cases, with 263 rated as Important and two as Critical. In recognition of the security researchers who discovered these flaws, Microsoft awarded a total of $912,300 in bounties for XSS vulnerabilities.

The highest single bounty paid for a high-impact XSS attack, such as one involving token theft or a zero-click exploit, was $20,000.

These vulnerabilities were not confined to a single product but were reported across a wide array of Microsoft’s major services.

The bounty programs for Microsoft Copilot, Microsoft 365, Dynamics 365, Microsoft Identity, Microsoft Azure, and Xbox all received XSS submissions.

The reports, coming from both internal and external researchers, often detailed methods for bypassing sanitization logic and exploiting behaviors in modern web frameworks.

Impact Of XSS

Not all XSS vulnerabilities carry the same risk. Microsoft prioritizes issues based on their real-world impact on customers.

Factors such as the potential for data exposure, the level of user interaction required for an exploit, and overall exploitability determine a vulnerability’s severity.

The MSRC uses a matrix that combines data classification with exploit conditions to assign a severity rating.

• Critical Severity: A zero-click XSS that compromises highly confidential data, like session tokens or sensitive cookies, is rated as Critical.
• Important Severity: If an XSS requires some user interaction but can still expose confidential information, it is typically rated as Important.
• Moderate/Low Severity: XSS on public pages with no sensitive data exposure, or scenarios that require the user to perform the attack on themselves (self-XSS), are considered lower severity.

Microsoft also clarified which types of XSS vulnerabilities are considered out of scope for servicing.

These include self-XSS, which requires a user to manually paste a payload into their browser’s developer console, and vulnerabilities that only execute in non-standard or outdated browsers like Internet Explorer.

Similarly, JavaScript execution within a PDF’s restricted environment does not typically qualify unless it can escape into a more privileged context.

To aid security researchers, the MSRC provided a checklist for submitting XSS reports, emphasizing the need for clear, reproducible steps, a proof-of-concept that works without developer tools, and a detailed explanation of the security impact, such as token theft or session hijacking.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.