Un Authenticated Attacker Can Trick Users to Click on Spoofing Links
CVE-2024-38166

8.2HIGH

Key Information:

Vendor: Microsoft
Status: Dynamics Crm Service Portal Web Resource
Vendor: CVE Published:; 6 August 2024

What is CVE-2024-38166?

A cross-site scripting vulnerability exists in Microsoft Dynamics 365 that allows attackers to exploit improper input handling during web page generation. By crafting a malicious link, an unauthenticated attacker can deceive a user into clicking on it, potentially compromising user interactions with the application. This could lead to unauthorized actions by exploiting the trust of the user in the affected product. Implementing proper input validation and user education can help mitigate the risks associated with this vulnerability.

Affected Version(s)

Dynamics CRM Service Portal Web Resource Unknown

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisory

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 6, 2024