CVE-2023-36030 is a cross-site scripting (XSS) vulnerability identified in Microsoft Dynamics 365 (on-premises) version 9.1 and also affecting version 9.0. The root cause is improper neutralization of user-supplied input during web page generation, classified under CWE-79. This flaw allows an attacker to inject malicious scripts into web pages viewed by other users. The vulnerability can be exploited remotely over the network without requiring authentication, but it does require user interaction, such as clicking a maliciously crafted link or visiting a compromised page. The CVSS v3.1 base score is 6.1 (medium severity), reflecting that the attack vector is network-based with low attack complexity and no privileges required, but user interaction is necessary. The impact primarily affects confidentiality and integrity, enabling attackers to perform actions like session hijacking, cookie theft, or spoofing user interface elements to deceive users. Availability is not impacted. No public exploits or active exploitation in the wild have been reported to date. The vulnerability affects on-premises deployments of Microsoft Dynamics 365 Sales, a widely used CRM platform in enterprise environments. Given the nature of the vulnerability, it can be leveraged in targeted phishing campaigns or social engineering attacks to compromise user accounts or gain unauthorized access to sensitive business data. Microsoft has not yet published a patch at the time of this report, so organizations must monitor for updates and apply them promptly once available.

For European organizations, this vulnerability poses a moderate risk primarily to confidentiality and integrity of customer relationship management data. Exploitation could allow attackers to steal session tokens, impersonate users, or manipulate displayed content to conduct phishing or fraud. This is particularly concerning for sectors relying heavily on Dynamics 365 for sales, customer data, and business operations, such as finance, manufacturing, and retail. The lack of availability impact means business continuity is less likely to be disrupted, but data breaches and unauthorized access could lead to regulatory non-compliance under GDPR, reputational damage, and financial losses. Since the vulnerability requires user interaction, phishing awareness and user training remain critical. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities once patches are released. Organizations with on-premises deployments, which are more common in Europe due to data sovereignty preferences, are more exposed compared to cloud-only customers who receive managed updates.

1. Monitor Microsoft security advisories closely and apply official patches or updates for Dynamics 365 (on-premises) version 9.1 and 9.0 as soon as they become available. 2. Implement strict input validation and output encoding on all user-supplied data within customizations or integrations to reduce injection risks. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the Dynamics 365 web interface. 4. Conduct regular security awareness training for users to recognize and avoid phishing attempts that could exploit this vulnerability. 5. Review and limit user permissions within Dynamics 365 to minimize the impact of compromised accounts. 6. Use web application firewalls (WAF) with rules tuned to detect and block XSS attack patterns targeting Dynamics 365 endpoints. 7. Audit and monitor logs for unusual activities or access patterns that may indicate exploitation attempts. 8. Consider isolating or segmenting the Dynamics 365 on-premises environment to reduce lateral movement risks if compromised.