CVE-2024-49035: Partner.Microsoft.Com Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 8.7)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Actively Exploited

Exploitation Likelihood

Detected

Patch Tuesday

2024-Nov

Released

2024-11-26

Last Updated

2024-11-27

EPSS Score

6.16% (percentile: 90.8%)

CISA KEV

Listed — due 2025-03-18

Description

An improper access control vulnerability in Partner.Microsoft.com allows an a unauthenticated attacker to elevate privileges over a network.

FAQ

Why is no action required to install this update? This CVE addresses a vulnerability in the Microsoft Power Apps online version only. As such, customers do not need to take any action because releases are rolled out automatically over several days. For more information about the releases for Microsoft Power Apps see What's new in Power Apps?.

Affected Products (1)

Azure

• Microsoft Partner Center

Acknowledgments

Apoorv Wadhwa, Gautam Peri, Anonymous

Revision History

• 2024-11-26: Information published.
• 2024-11-27: Corrected Exploited to Yes. This is an informational change only.