Main Vulnerability Database Vulnerabilities #VU20287

Code Injection in Microsoft Dynamics 365 - CVE-2019-1229

Published: August 14, 2019

Vulnerability identifier: #VU20287

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-1229

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Microsoft

Affected software:
Microsoft Dynamics 365

Detailed vulnerability description

The vulnerability allows a remote authenticated attacker to escalate privileges on the system.

The vulnerability exists due to improper input validation when processing XAML scripts. A remote privileged user with permission to author customized business rules in Dynamics can create a specially crafted XAML script and execute it on the system.

Successful exploitation of this vulnerability may allow an attacker to gain control of the Web Role hosting the Dynamics installation

How to mitigate CVE-2019-1229

Install updates from vendor's website.

Sources

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1229

Code Injection in Microsoft Dynamics 365 - CVE-2019-1229

Detailed vulnerability description

How to mitigate CVE-2019-1229

Sources

Please verify you're human