Multiple vulnerabilities in Microsoft Dynamics 365 for Finance and Operations (on-premises)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2020-17158 CVE-2020-17152 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Microsoft Dynamics 365 for Finance and Operations (on-premises) Web applications / CRM systems |
| Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU48855
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-17158
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote authenticated attacker can pass specially crafted input to the application and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMicrosoft Dynamics 365 for Finance and Operations (on-premises): 10.0.11
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17158
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU48856
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-17152
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote authenticated attacker can pass specially crafted input to the application and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMicrosoft Dynamics 365 for Finance and Operations (on-premises): 10.0.11
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17152
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
