CVE-2022-23269: Microsoft Dynamics GP Spoofing Vulnerability

Overview

Severity

Medium (CVSS 5.4)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Feb

Released

2022-02-08

Last Updated

2022-02-25

EPSS Score

0.49% (percentile: 65.7%)

FAQ

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An authenticated user would have to visit a specific URL that will create an action for a workflow. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? The vulnerability is in the web server, but the malicious scripts execute in the victim’s browser on their machine. According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires that an attacker has privileges to generate a workflow. Dynamics GP will send an email to the user based on the info registered. According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability? Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.

Affected Products (1)

Microsoft Dynamics

• Microsoft Dynamics GP

Security Updates (1)

• Release Notes

Acknowledgments

Ha Anh Hoang with <a href="https://viettelcybersecurity.com/">Viettel Cyber Security</a>

Revision History

• 2022-02-08: Information published.
• 2022-02-25: Updated one or more CVSS scores for the affected products and added an FAQ explaining the vector string settings. This is an informational change only.