CVE-2023-24922: Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability
Overview
- Severity
- Medium (CVSS 6.5)
- CVSS Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
- Category
- Information Disclosure
- Exploit Status
- Not Exploited
- Exploitation Likelihood
- Less Likely
- Patch Tuesday
- 2023-Mar
- Released
- 2023-03-14
- Last Updated
- 2023-04-25
- EPSS Score
- 6.48% (percentile: 91.1%)
FAQ
What type of information could be disclosed by this vulnerability?
This vulnerability causes a verbose error message that could provide attacker with enough information to construct a malicious payload.
According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?
Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.
Affected Products (2)
Microsoft Dynamics
- Microsoft Dynamics 365 (on-premises) version 9.0
- Microsoft Dynamics 365 (on-premises) version 9.1
Security Updates (2)
Acknowledgments
<a href="https://www.linkedin.com/in/tevfikd/">Tevfik DEMÄ°REL</a> with <a href="https://www.linkedin.com/in/tevfikd/">Cyber Security Engineer</a>
Revision History
- 2023-03-14: Information published.
- 2023-04-25: Added FAQ information. This is an informational change only.