Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Published: 2019-08-14
Updated: 2024-11-21
Summary
An elevation of privilege vulnerability exists in Dynamics On-Premise v9. An attacker who successfully exploited the vulnerability could leverage a customizer privilege within Dynamics to gain control of the Web Role hosting the Dynamics installation. To exploit this vulnerability, an attacker needs to have credentials for a user that has permission to author customized business rules in Dynamics, and persist XAML script in a way that causes it to be interpreted as code. The update addresses the vulnerability by restricting XAML activities to a whitelisted set.
Vulnerable Configurations
Part | Description | Count |
Application | Microsoft | 1 |
Nessus
NASL family | Windows |
NASL id | SMB_NT_MS19_AUG_MICROSOFT_DYNAMICS.NASL |
description | The Microsoft Dynamics 365 (on-premises) install is missing a security update. It is, therefore, affected by the following vulnerability : - An elevation of privilege vulnerability exists in Dynamics On-Premise v9. An attacker who successfully exploited the vulnerability could leverage a customizer privilege within Dynamics to gain control of the Web Role hosting the Dynamics installation. (CVE-2019-1229) |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 127861 |
published | 2019-08-14 |
reporter | This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/127861 |
title | Security Updates for Microsoft Dynamics 365 (on-premises) (August 2019) |