Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Field Service (online) allows an authorized attacker to perform spoofing over a network.
According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability? An authorized attacker must send the user a malicious link and convince the user to open it. What actions do customers need to take to protect themselves from this vulnerability? Customers running Dynamics 365 Field Service (online) need to go to the Power Platform admin center and apply the updates. See Update apps and solutions for more information about updating your Field Service app. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? The vulnerability is in the web server, but the malicious scripts execute in the victim’s browser on their machine.
<a href="https://x.com/nmdhkr">Brad Schlintz (nmdhkr)</a>