CVE-2020-16857: Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 7.1)

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N/E:P/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Patch Tuesday

2020-Sep

Released

2020-09-08

EPSS Score

0.48% (percentile: 65.0%)

Description

A remote code execution vulnerability exists in Microsoft Dynamics 365 for Finance and Operations (on-premises) version 10.0.11. An attacker who successfully exploited this vulnerability could gain remote code execution via server-side script execution on the victim server. An authenticated attacker with privileges to import and export data could exploit this vulnerability by sending a specially crafted file to a vulnerable Dynamics server. The security update addresses the vulnerability by correcting how Microsoft Dynamics 365 for Finance and Operations (on-premises) version 10.0.11 handles user input.

Affected Products (1)

Other

• 11786

Security Updates (1)

• Release Notes

Acknowledgments

<a href="https://twitter.com/n_joly">Nicolas Joly</a> of Microsoft Corporation

Revision History

• 2020-09-08: Information published.