CVE-2024-35248: Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 7.3)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2024-Jun

Released

2024-06-11

EPSS Score

1.70% (percentile: 82.3%)

FAQ

According to the CVSS metrics, successful exploitation of this vulnerability could lead to minor loss of confidentiality (C:L), integrity (I:L) and availability (A:L). What does that mean for this vulnerability? While we cannot rule out the impact to Confidentiality, Integrity, and Availability, the ability to exploit this vulnerability by itself is limited. An attacker would need to combine this with other vulnerabilities to perform an attack. What privileges could be gained by an attacker who successfully exploited the vulnerability? The attacker would gain the rights of the user that is running the affected application.

Affected Products (3)

Microsoft Dynamics

• Microsoft Dynamics 365 Business Central 2023 Release Wave 1
• Microsoft Dynamics 365 Business Central 2023 Release Wave 2
• Microsoft Dynamics 365 Business Central 2024 Release Wave 1

Security Updates (3)

• 5038529
• 5038530
• 5038531

Acknowledgments

Dr. Florian Hauser @frycos with CODE WHITE GmbH

Revision History

• 2024-06-11: Information published.