CVE-2020-16956 — Cross-site Scripting in Microsoft Dynamics 365 Version 8.2

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.7%

top 27.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Dynamics 365 Version 8.2 Microsoft Dynamics 365 Version 9.0 Microsoft Dynamics 365

Timeline

PublishedOct 16

Latest updateMay 24

Description

A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected Dynamics server. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current authenticated …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5microsoft/microsoft_dynamics_365_version_8.28.0 — publication

▶CVEListV5microsoft/microsoft_dynamics_365_version_9.09.0.0 — publication

▶NVDmicrosoft/dynamics_3658.2, 9.0+1

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-8rh5-6cqx-ggwm: A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an↗2022-05-24

▶

CVEList

Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability↗2020-10-16

▶

📋Vendor Advisories

Microsoft

Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability↗2020-10-13

▶