Multiple vulnerabilities in Microsoft Dynamics 365 Server

Published: 2019-02-13
Severity Medium
Patch available YES
Number of vulnerabilities 2
CVE ID CVE-2019-0745
CVE-2018-8654
CWE ID CWE-284
Exploitation vector Network
Public exploit N/A
Vulnerable software Microsoft Dynamics CRM Server Subscribe
Vendor Microsoft

Security Advisory

1) Improper access control

Severity: Medium

CVSSv3: 5.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-0745

CWE-ID: CWE-284 - Improper Access Control

Description

The vulnerability allows a remote attacker to escalate privileges within the application.

The vulnerability exists due to improper access restrictions when processing HTTP request. A remote authenticated attacker can impersonate another application user and gain elevated privileges within the Microsoft Dynamics 365 Server.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Dynamics CRM Server: 8

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0745

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper access control

Severity: Medium

CVSSv3: 5.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-8654

CWE-ID: CWE-284 - Improper Access Control

Description

The vulnerability allows a remote attacker to escalate privileges within the application.

The vulnerability exists due to improper access restrictions when processing HTTP request. A remote authenticated attacker can impersonate another application user and gain elevated privileges within the Microsoft Dynamics 365 Server.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Dynamics CRM Server: 8

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8654

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



ImmuniWeb® AI Platform for Application Security Testing