CVE-2024-38166

An unauthenticated attacker can exploit improper neutralization of input during web page generation in Microsoft Dynamics 365 to spoof over a network by tricking a user to click on a link.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38166	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:microsoft:dynamics_crm_service_portal_web_resource:-:*:*:*:*:*:*:*

History

12 Aug 2024, 18:33

Type	Values Removed	Values Added
References	~~() https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38166 -~~	() https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38166 - Patch, Vendor Advisory
First Time		Microsoft Microsoft dynamics Crm Service Portal Web Resource
CPE		cpe:2.3:a:microsoft:dynamics_crm_service_portal_web_resource:-:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~8.2~~	v2 : unknown v3 : 6.1

07 Aug 2024, 15:17

Type	Values Removed	Values Added
Summary		(es) Un atacante no autenticado puede aprovechar la neutralización inadecuada de la entrada durante la generación de una página web en Microsoft Dynamics 365 para falsificar una red engañando a un usuario para que haga clic en un enlace.

06 Aug 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-06 22:15

Updated : 2024-08-14 00:15

NVD link : CVE-2024-38166

Mitre link : CVE-2024-38166

CVE.ORG link : CVE-2024-38166

JSON object : View

Products Affected

microsoft

dynamics_crm_service_portal_web_resource

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-38166", "cveTags": [{"tags": ["exclusively-hosted-service"], "sourceIdentifier": "secure@microsoft.com"}], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "secure@microsoft.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 2.8}]}, "published": "2024-08-06T22:15:54.163", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38166", "tags": ["Patch", "Vendor Advisory"], "source": "secure@microsoft.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "secure@microsoft.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An unauthenticated attacker can exploit improper neutralization of input during web page generation in Microsoft Dynamics 365 to spoof over a network by tricking a user to click on a link."}, {"lang": "es", "value": "Un atacante no autenticado puede aprovechar la neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de una p\u00e1gina web en Microsoft Dynamics 365 para falsificar una red enga\u00f1ando a un usuario para que haga clic en un enlace."}], "lastModified": "2024-08-14T00:15:07.687", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:dynamics_crm_service_portal_web_resource:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8C6F0036-1B3D-4C05-9D82-05C107F5578C"}], "operator": "OR"}]}], "sourceIdentifier": "secure@microsoft.com"}