KLA20227 Multiple vulnerabilities in Microsoft Dynamics

Multiple vulnerabilities were found in Microsoft Dynamics. Malicious users can exploit these vulnerabilities to spoof user interface, execute arbitrary code.

Below is a complete list of vulnerabilities:

1. A cross-site-scripting (XSS) vulnerability Microsoft Dynamics 365 (on-premises) can be exploited remotely to spoof user interface.
2. A remote code execution vulnerability in Microsoft Dynamics Unified Service Desk can be exploited remotely to execute arbitrary code.

Original advisories

CVE-2023-21807

CVE-2023-21570

CVE-2023-21573

CVE-2023-21572

CVE-2023-21571

CVE-2023-21778

Related products

Microsoft-Dynamics-365

CVE list

CVE-2023-21807 high

CVE-2023-21570 high

CVE-2023-21573 high

CVE-2023-21572 high

CVE-2023-21571 high

CVE-2023-21778 critical

KB list

5023506

5023505

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• XSS/CSS

Cross site scripting. Exploitation of vulnerabilities with this impact can lead to partial interception of information transmitted between user and site.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Microsoft Dynamics 365 (on-premises) version 9.0Microsoft Dynamics 365 (on-premises) version 9.1Microsoft Dynamics 365 Unified Service Desk