CVE-2024-30061: Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability

Overview

Severity

High (CVSS 7.3)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2024-Jul

Released

2024-07-09

EPSS Score

5.03% (percentile: 89.7%)

FAQ

According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability? An authorized attacker must be on the network to monitor domain network traffic (PR:L) while monitoring for user (UI:R) generated network traffic, or alternatively that attacker convinces an authenticated user to execute a malicious script, as a step to exploit this vulnerability. What type of information could be disclosed by this vulnerability? This vulnerability discloses data stored in the underlying datasets in Dataverse, that could include Personal Identifiable Information.

Affected Products (1)

Microsoft Dynamics

• Microsoft Dynamics 365 (on-premises) version 9.1

Security Updates (1)

• 5037940

Acknowledgments

<a href="https://twitter.com/kire_devs_hacks">Erik Donker</a>

Revision History

• 2024-07-09: Information published.