CVE-2023-36019
published 2023-12-12CVE-2023-36019: Microsoft Power Platform Connector Spoofing Vulnerability
PriorityP345high7.4CVSS 3.1
AVNACLPRNUIRSCCNIHAN
EPSS
16.22%
96.5th percentile
Microsoft Power Platform Connector Spoofing Vulnerability
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | azure_logic_apps | < 3.23113 | 3.23113 |
| microsoft | azure_logic_apps | >= 3.0 < 3.23113 | 3.23113 |
| microsoft | microsoft_power_platform | >= 1.0.0 < 3.23113 | 3.23113 |
| microsoft | power_platform | < 3.23113 | 3.23113 |
| msrc | azure_logic_apps | — | — |
| msrc | microsoft_power_platform | — | — |
CVSS provenance
nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
vendor_msrc9.6CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xg84-73vx-pq6f: Microsoft Power Platform Connector Spoofing Vulnerability
ghsa_unreviewed·2023-12-12
CVE-2023-36019 [CRITICAL] GHSA-xg84-73vx-pq6f: Microsoft Power Platform Connector Spoofing Vulnerability
Microsoft Power Platform Connector Spoofing Vulnerability
Microsoft
Microsoft Power Platform Connector Spoofing Vulnerability
vendor_msrc·2023-12-12·CVSS 9.6
CVE-2023-36019 [CRITICAL] CWE-73 Microsoft Power Platform Connector Spoofing Vulnerability
Microsoft Power Platform Connector Spoofing Vulnerability
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
The user would have to click on a specially crafted URL to be compromised by the attacker.
FAQ: According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?
The vulnerability is in the web server, but the malicious scripts execute in the victim’s browser on their machine.
FAQ: How do I know if my connector does not have a per-connector redirect URI?
Microsoft notified affected customers about this change in behavior via Microsoft 365 Admin Center (MC690931) or Service Health in the Azure Portal (3_SH-LTG) starting on November 17th, 2023. You
No detection rules found.
No public exploits indexed.
Checkpoint
18th December – Threat Intelligence Report
blogs_checkpoint·2023-12-18
CVE-2023-36019 18th December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 18th December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 18th December, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Ukraine’s largest mobile operator, Kyivstar, was hit by “largest cyber-attack on telecom infrastructure in the world”, rendering millions without mobile and internet services for at least 48 hours. Reportedly, the attack also affected air raid sirens, ATMs, and point-of-sale terminals. Russia-affiliated group Solntsepek
Trendmicro
The December 2023 Security Update Review
blogs_trendmicro·2023-12-12
The December 2023 Security Update Review
# The December 2023 Security Update Review
Get the December 2023 security update and review.
By: Zero Day Initiative
2023/12/12
Read time: ( words)
Save to Folio
It’s the final patch Tuesday of 2023, and Apple, Adobe, and Microsoft have released their latest security offerings. Take a break from your holiday hustle and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here:
Apple Patches for December 2023
Apple kicked off the December release cycle with patches for iOS and iPadOS with eight CVEs. Two of these CVEs in Webkit are reported as being under active attack on iOS versions 16.7.1 and older. If you’re using an older iPhone or iPad, you should definitely update your device immediately. If you’re using a dev
Tenable
Microsoft’s December 2023 Patch Tuesday Addresses 33 CVEs (CVE-2023-36019)
blogs_tenable·2023-12-12·CVSS 9.6
[CRITICAL] Microsoft’s December 2023 Patch Tuesday Addresses 33 CVEs (CVE-2023-36019)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Microsoft and Adobe Patch Tuesday, December 2023 Security Update Review
blogs_qualys·2023-12-12
Microsoft and Adobe Patch Tuesday, December 2023 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for December 2023
Adobe Patches for December 2023
Zero-day Vulnerability Patched in December Patch Tuesday Edition
Other Critical Severity Vulnerabilities Patched in December Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Qualys Monthly Webinar Series
Microsoft has wrapped up the year with fewer security updates released in its Patch Tuesday, December 2023 edition. We invite you to join us to review and discuss the details of these security updates and patches.
## Microsoft Patch Tuesday for December 2023
In this month’s Patch Tuesday edition, Microsoft ha
Qualys
Qualys Review: Microsoft and Adobe December Security Patches | Qualys
blogs_qualys·2023-12-12
Qualys Review: Microsoft and Adobe December Security Patches | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for December 2023
- Adobe Patches for December 2023
- Zero-day Vulnerability Patched in December Patch Tuesday Edition
- Other Critical Severity Vulnerabilities Patched in December Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
- Qualys Monthly Webinar Series
Microsoft has wrapped up the year with fewer security updates released in its Patch Tuesday, December 2023 edition. We invite you to join us to review and discuss the details of these security updates and patches.
## Microsoft Patch Tuesday for December 2023
In this month’s Patch Tuesday edition,
Bleepingcomputer
Microsoft December 2023 Patch Tuesday fixes 34 flaws, 1 zero-day
blogs_bleepingcomputer·2023-12-12·CVSS 5.5
[MEDIUM] Microsoft December 2023 Patch Tuesday fixes 34 flaws, 1 zero-day
## Microsoft December 2023 Patch Tuesday fixes 34 flaws, 1 zero-day
## Lawrence Abrams
10 Elevation of Privilege Vulnerabilities
8 Remote Code Execution Vulnerabilities
6 Information Disclosure Vulnerabilities
5 Denial of Service Vulnerabilities
5 Spoofing Vulnerabilities
The total count of 34 flaws does not include 8 Microsoft Edge flaws fixed on December 7th.
To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5033375 cumulative update and Windows 10 KB5033372 cumulative update .
## One publicly disclosed zero-day fixed
This month's Patch Tuesday fixes one AMD zero-day vulnerability disclosed in August that previously remained unpatched.
The ' CVE-2023-20588 - AMD: CVE-2023-20588 AMD Speculative Leaks ' vul
Crowdstrike
December 2023 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] December 2023 Patch Tuesday: Updates and Analysis
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
2023-12-12
Published