Severity
High
Analysis Summary
CVE-2024-38166 CVSS:8.2
Microsoft Dynamics 365 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVE-2024-38206 CVSS:8.5
Microsoft Copilot Studio could allow a remote authenticated attacker to obtain sensitive information, caused by a server-side request forgery attack. An attacker could exploit this vulnerability to leak sensitive information over a network.
Impact
- Information Disclosure
- Cross-Site Scripting
Indicators of Compromise
CVE
- CVE-2024-38166
- CVE-2024-38206
Affected Vendors
Affected Products
- Microsoft Dynamics CRM Service Portal Web Resource
- Microsoft Copilot Studio
Remediation
Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.