Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to bypass a security feature over a network.
According to the CVSS metric, user interaction is required (UI:R) and privileges required are Low (PR:L). What does that mean for this vulnerability? A user must interact with a malicious Power Apps canvas app, such as by opening or using it. Additionally, an attacker only needs basic capabilities to create or share a Power App; they do not need administrative access. According to the CVSS metric, successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? This vulnerability could lead to the attacker gaining the ability to interact with other tenant’s applications and content. What kind of security feature could be bypassed by successfully exploiting this vulnerability? The vulnerability could bypass the security warning dialog that is meant to clearly inform users when an app is attempting to open an external protocol. Because whitespace in the URI causes the dialog to truncate important information, users may not see the true destination or risk. How could an attacker exploit this vulnerability? An attacker could create a malicious Power Apps canvas app that includes an external protocol link disguised with leading whitespace. When a user opens the app, the resulting warning dialog may appear incomplete or misleading. If the user proceeds, the app could trigger an external protocol call that performs unintended actions on the user’s device.
<a href="https://www.linkedin.com/in/alasdair-gorniak/">Alasdair Gorniak</a> with <a href="https://delta.cyberm.ca/">Delta Obscura</a>