CVE-2023-24919: 
Microsoft Dynamics 365 vulnerability analysis and mitigation

Microsoft Dynamics 365 (on-premises) contains a Cross-site Scripting (XSS) vulnerability. The vulnerability was initially identified and assigned CVE-2023-24919 on January 31, 2023, affecting Microsoft Dynamics 365 versions 9.0 (up to 9.0.45.11) and 9.1 (up to 9.1.16.20) in on-premises deployments (MITRE CVE, NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 Base Score of 5.4 (Medium). The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring low privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C) with low confidentiality (C:L) and integrity (I:L) impacts, and no availability impact (A:N) (NVD).

The Cross-site Scripting vulnerability could allow an attacker to inject malicious scripts that execute in the context of the victim's browser session. This could potentially lead to unauthorized access to sensitive information, session hijacking, or other malicious activities within the scope of the user's browser session (MITRE CVE).

Microsoft has released security updates to address this vulnerability. Organizations running affected versions of Dynamics 365 (on-premises) should upgrade to versions 9.0.45.11 or 9.1.16.20 or later (Microsoft Advisory).