Lucene search
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.SMB_NT_MS24_SEP_MICROSOFT_DYNAMICS.NASLHistorySep 11, 2024 - 12:00 a.m.
Security Updates for Microsoft Dynamics 365 (on-premises) (September 2024)
2024-09-1100:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
1
microsoft dynamics 365
on-premises
cross-site scripting
xss
security updates
september 2024
user-supplied input
remote attacker
arbitrary script code.
CVSS3
7.6
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C
AI Score
6.4
Confidence
High
The Microsoft Dynamics 365 (on-premises) is missing security updates. It is, therefore, affected by a cross-site scripting (XSS) vulnerability. The vulnerability exists due to improper validation of user-supplied input before returning it to users. An authenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user’s browser session.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(206975);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/09/16");
script_cve_id("CVE-2024-43476");
script_xref(name:"MSKB", value:"5043254");
script_xref(name:"MSFT", value:"MS24-5043254");
script_xref(name:"IAVA", value:"2024-A-0560");
script_name(english:"Security Updates for Microsoft Dynamics 365 (on-premises) (September 2024)");
script_set_attribute(attribute:"synopsis", value:
"The Microsoft Dynamics 365 (on-premises) is affected by a cross-site scripting vulnerability.");
script_set_attribute(attribute:"description", value:
"The Microsoft Dynamics 365 (on-premises) is missing security updates. It is, therefore, affected by a cross-site
scripting (XSS) vulnerability. The vulnerability exists due to improper validation of user-supplied input before
returning it to users. An authenticated, remote attacker can exploit this, by convincing a user to click a specially
crafted URL, to execute arbitrary script code in a user's browser session.
Note that Nessus has not tested for this issue but has instead relied only on the application's
self-reported version number.");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/help/5043254");
script_set_attribute(attribute:"see_also", value:"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43476");
script_set_attribute(attribute:"solution", value:
"Microsoft has released the following security updates to address this issue:
-KB5043254");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-43476");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/09/10");
script_set_attribute(attribute:"patch_publication_date", value:"2024/09/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/09/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:dynamics_365");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("microsoft_dynamics_365_detect.nbin");
script_require_keys("installed_sw/Microsoft Dynamics 365 Server");
script_require_ports(139, 445);
exit(0);
}
include('vcf.inc');
var app = 'Microsoft Dynamics 365 Server';
var app_info = vcf::get_app_info(app:app, win_local:TRUE);
var constraints = [
{ 'min_version' : '9.1', 'fixed_version' : '9.1.32.05', 'fixed_display' : 'Update v9.1 (on-premises) Update 1.32' }
];
vcf::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_WARNING,
flags: {'xss': TRUE}
);
Related
mskb
mskb
Service Update 1.32 for Microsoft Dynamics CRM (on-premises) 9.1
2024-09-10 07:00:00
nvd
nvd
CVE-2024-43476
2024-09-10 17:15:35
mscve
mscve
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
2024-09-10 07:00:00
cvelist
cvelist
vulnrichment
vulnrichment
cve
cve
CVE-2024-43476
2024-09-10 17:15:35
kaspersky
kaspersky
KLA73226 Multiple vulnerabilities in Microsoft Dynamics
2024-09-10 00:00:00
rapid7blog
rapid7blog
Patch Tuesday - September 2024
2024-09-10 20:49:21
CVSS3
7.6
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C
AI Score
6.4
Confidence
High
Related for SMB_NT_MS24_SEP_MICROSOFT_DYNAMICS.NASL