CVE-2023-36020: 
Microsoft Dynamics 365 vulnerability analysis and mitigation

Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability affects versions from 9.0 up to 9.0.51.06 and from 9.1 up to 9.1.23.10. This vulnerability was discovered and reported to Microsoft, with initial CVE assignment on June 20, 2023 (CVE MITRE, NVD).

The vulnerability is classified as a Cross-site Scripting (XSS) issue, specifically falling under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is rated 7.6 HIGH by Microsoft with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N, while NVD rates it at 5.4 MEDIUM with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability could allow an attacker to execute cross-site scripting attacks against users of Microsoft Dynamics 365 (on-premises). Based on the CVSS scores, the vulnerability has a high impact on confidentiality and a low impact on integrity, with no impact on availability (NVD).

Microsoft has released security updates to address this vulnerability. Users should upgrade their Microsoft Dynamics 365 (on-premises) installations to versions 9.0.51.06 or later for the 9.0 branch, or 9.1.23.10 or later for the 9.1 branch (Microsoft Security Update Guide).