The Microsoft Dynamics 365 (on-premises) is missing security updates. It is, therefore, affected by multiple vulnerabilities :

  - A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly     sanitize a specially crafted web request to an affected Dynamics server. An authenticated attacker could     exploit the vulnerability by sending a specially crafted request to an affected Dynamics server. The     attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on     affected systems and run script in the security context of the current authenticated user. These attacks     could allow the attacker to read content that the attacker is not authorized to read, use the victim's     identity to take actions within Dynamics Server on behalf of the user, such as change permissions and     delete content, and inject malicious content in the browser of the user. The security update addresses the     vulnerability by helping to ensure that Dynamics Server properly sanitizes web requests. (CVE-2020-16858,     CVE-2020-16859, CVE-2020-16861, CVE-2020-16864, CVE-2020-16871, CVE-2020-16872, CVE-2020-16878)

  - A remote code execution vulnerability exists in Microsoft Dynamics 365 (on-premises) when the server fails     to properly sanitize web requests to an affected Dynamics server. An attacker who successfully exploited     the vulnerability could run arbitrary code in the context of the SQL service account. An authenticated     attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable Dynamics     server. The security update addresses the vulnerability by correcting how Microsoft Dynamics 365     (on-premises) validates and sanitizes user input. (CVE-2020-16860, CVE-2020-16862)

Detections

Analytics

Security Updates for Microsoft Dynamics 365 (on-premises) (September 2020)

high Nessus Plugin ID 140429

Version 1.10

Version 1.9

Version 1.8

Version 1.10 Nov 29, 2024, 9:42 AM CVSS metrics ("CVSSv3 score" set to 8.8) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H") CVSSv3 score source (changed from "CVE-2020-16872" to none) Plugin Feed: 202411290942
Version 1.9 Feb 21, 2024, 4:36 PM CVSS metrics ("CVSSv3 score" set to 7.6. "CVSSv3 vector" set to "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N") CVSSv3 score source (set to "CVE-2020-16872") Exploit attributes ("Exploit available" set to "False") Plugin Feed: 202402211636
Version 1.8 Dec 6, 2022, 6:51 PM Reference Plugin Feed: 202212061851