KLA12260 Multiple vulnerabilities in Microsoft Dynamics

Multiple vulnerabilities were found in Microsoft Dynamics. Malicious users can exploit these vulnerabilities to execute arbitrary code, spoof user interface.

Below is a complete list of vulnerabilities:

1. A remote code execution vulnerability in Microsoft Dynamics 365 (on-premises) can be exploited remotely to execute arbitrary code.
2. A cross-site-scripting (XSS) vulnerability Microsoft Dynamics 365 (on-premises) can be exploited remotely to spoof user interface.
3. A cross-site-scripting (XSS) vulnerability Microsoft Dynamics Business Central can be exploited remotely to spoof user interface.

Original advisories

CVE-2021-34524

CVE-2021-36950

CVE-2021-36946

Related products

Microsoft-Dynamics-365

CVE list

CVE-2021-34524 unknown

CVE-2021-36950 unknown

CVE-2021-36946 unknown

KB list

5005368

4618795

5005373

4618809

5005374

5005369

5005370

5005239

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Microsoft Dynamics 365 Business Central 2020 Release Wave 1 - Update 16.15Microsoft Dynamics 365 Business Central 2020 Release Wave 2 - Update 17.9Microsoft Dynamics NAV 2018Dynamics 365 Business Central 2019 Spring Update