CVE-2023-36016: 
Microsoft Dynamics 365 vulnerability analysis and mitigation

Microsoft Dynamics 365 (on-premises) was found to be vulnerable to a Cross-site Scripting (XSS) vulnerability. The vulnerability, tracked as CVE-2023-36016, was disclosed in November 2023 and affects versions prior to 9.0 and 9.1 of Microsoft Dynamics 365 (on-premises) (NIST NVD, Microsoft Security).

The vulnerability has been assigned a CVSS v3.1 base score of 6.2 MEDIUM by Microsoft Corporation, with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N. The NVD assessment provided a lower base score of 3.4 LOW with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NIST NVD).

If successfully exploited, this cross-site scripting vulnerability could allow an attacker to conduct cross-site scripting attacks against vulnerable resources. The vulnerability primarily affects the confidentiality aspect of the system, with high privileges required for exploitation (Qualys Research).

Microsoft has released security updates to address this vulnerability. Organizations running Microsoft Dynamics 365 (on-premises) should upgrade to the latest patched versions. The vulnerability affects versions prior to 9.0.51.06 and versions prior to 9.1.23.10 (NIST NVD).