CVE-2020-16943: Dynamics 365 Commerce Elevation of Privilege Vulnerability
Overview
- Severity
- Medium (CVSS 6.5)
- CVSS Vector
- CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
- Category
- Elevation of Privilege
- Exploit Status
- Not Exploited
- Exploitation Likelihood
- Less Likely
- Patch Tuesday
- 2020-Oct
- Released
- 2020-10-13
- Last Updated
- 2020-11-10
- EPSS Score
- 0.57% (percentile: 68.8%)
Description
An elevation of privilege vulnerability exists in Microsoft Dynamics 365 Commerce. An unauthenticated attacker who successfully exploited this vulnerability could update data without proper authorization.
To exploit the vulnerability, an attacker would need to send a specially crafted request to an affected server.
The security update addresses the vulnerability by correcting how Microsoft Dynamics 365 Commerce performs authorization checks.
FAQ
Is the update for Dynamics 365 Commerce that addresses this vulnerability currently available?
The security update for Dynamics 365 Commerce is not immediately available. The update will be released as soon as possible, and when it becomes available, customers will be notified via a revision to this CVE information.
Affected Products (5)
Other
- 11810
- 11811
- 11812
- 11813
- 11814
Security Updates (1)
Acknowledgments
Prodware https://www.prodwaregroup.com/es-es/
Revision History
- 2020-10-13: Information published.
- 2020-10-13: In the Security Updates table, removed the Article and Download links because an update is not yet available for Dynamics 365 Commerce. Customers will be notified via a revision to this CVE information when an update becomes available.
- 2020-11-10: Microsoft is announcing the availability of the security updates for Dynamics 365 Commerce. The Security Updates table has been revised to list the versions that are affected by this vulnerability. Customers running any of these versions of Dynamics 365 Commerce should install the update for their product to be protected from this vulnerability.