Kaspersky LabKLA63963KLA63963 Multiple vulnerabilities in Microsoft Dynamics
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
55.0%
Multiple vulnerabilities were found in Microsoft Dynamics. Malicious users can exploit these vulnerabilities to perform cross-site scripting attack, spoof user interface, obtain sensitive information.
Below is a complete list of vulnerabilities:
- A cross-site-scripting (XSS) vulnerability Microsoft Dynamics 365 (on-premises) can be exploited remotely to spoof user interface.
- A spoofing vulnerability in Dynamics 365 Sales can be exploited remotely to spoof user interface.
- A cross-site-scripting (XSS) vulnerability Microsoft Dynamics 365 Customer Engagement can be exploited remotely to spoof user interface.
- An information disclosure vulnerability in Microsoft Dynamics Business Central/NAV can be exploited remotely to obtain sensitive information.
- A spoofing vulnerability in Dynamics 365 Field Service can be exploited remotely to spoof user interface.
Original advisories
Related products
CVE list
CVE-2024-21393 critical
CVE-2024-21328 critical
CVE-2024-21327 critical
CVE-2024-21389 critical
CVE-2024-21396 critical
CVE-2024-21380 critical
CVE-2024-21394 critical
CVE-2024-21395 critical
KB list
Solution
Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)
Impacts
- OSI
Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.
- XSS/CSS
Cross site scripting. Exploitation of vulnerabilities with this impact can lead to partial interception of information transmitted between user and site.
- SUI
Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.
Affected Products
- Microsoft Dynamics 365 Business Central 2023 Release Wave 2Microsoft Dynamics 365 Customer Engagement V9.1Microsoft Dynamics 365 (on-premises) version 9.1Microsoft Dynamics 365 Business Central 2023 Release Wave 1Microsoft Dynamics 365 Business Central 2022 Release Wave 2
References
support.microsoft.com/kb/5035110
support.microsoft.com/kb/5035205
support.microsoft.com/kb/5035206
support.microsoft.com/kb/5035207
msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21327
msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21328
msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21380
msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21389
msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21393
msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21394
msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21395
msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21396
statistics.securelist.com/
threats.kaspersky.com/en/product/Microsoft-Dynamics-365/
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
55.0%