KLA11750 Multiple vulnerability in Microsoft Dynamics

Multiple vulnerabilities were found in Microsoft Dynamics. Malicious users can exploit these vulnerabilities to execute arbitrary code, spoof user interface, obtain sensitive information.

Below is a complete list of vulnerabilities:

1. A remote code execution vulnerability in Dynamics Business Central can be exploited remotely to execute arbitrary code.
2. A cross-site-scripting (XSS) vulnerability Microsoft Dynamics 365 (On-Premise) can be exploited remotely via specially crafted web to spoof user interface.
3. Unspecified Microsoft Dynamics Business can be exploited remotely to obtain sensitive information.

Original advisories

CVE-2020-1022

CVE-2020-1050

CVE-2020-1049

CVE-2020-1018

Related products

Microsoft-Dynamics-365

CVE list

CVE-2020-1022 high

CVE-2020-1050 warning

CVE-2020-1049 warning

CVE-2020-1018 warning

KB list

4538593

4549673

4557700

4557699

4549676

4549674

4549678

4549675

4549677

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Dynamics 365 Server, version 9.0 (on-premises)Microsoft Dynamics 365 BC On PremiseMicrosoft Dynamics NAV 2017Microsoft Dynamics NAV 2016Dynamics 365 Business Central 2019 Spring UpdateMicrosoft Dynamics NAV 2018Microsoft Dynamics NAV 2013Dynamics 365 Business Central 2019 Release Wave 2 (On-Premise)Microsoft Dynamics NAV 2015