CVE-2025-49745: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

Overview

Severity

Medium (CVSS 5.4)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2025-Aug

Released

2025-08-12

EPSS Score

0.07% (percentile: 20.3%)

Description

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Dynamics 365 (on-premises) allows an unauthorized attacker to perform spoofing over a network.

FAQ

According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability? An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability). According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would have to click on a specially crafted URL to be compromised by the attacker.

Affected Products (1)

Microsoft Dynamics

• Microsoft Dynamics 365 (on-premises) version 9.1

Security Updates (1)

• 5059086

Acknowledgments

<a href="https://batr.am/">batram</a>, <a href="https://batr.am/">batram</a>

Revision History

• 2025-08-12: Information published.