CVE-2023-36410 is a high-severity Cross-site Scripting (XSS) vulnerability identified in Microsoft Dynamics 365 (on-premises) version 9.1, specifically affecting version 9.0 as well. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), allowing an attacker with limited privileges (requires low privileges and user interaction) to inject malicious scripts into web pages rendered by the Dynamics 365 application. The vulnerability has a CVSS v3.1 base score of 7.6, reflecting its high impact. The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact on confidentiality is high (C:H), integrity is low (I:L), and availability is not affected (A:N). This indicates that an attacker could potentially steal sensitive information or session tokens by executing malicious scripts in the context of the victim's browser, but cannot directly modify data or disrupt service availability. The vulnerability does not currently have known exploits in the wild, but the presence of a patch or mitigation guidance is not explicitly provided in the data. Given the nature of Dynamics 365 as a widely used enterprise resource planning (ERP) and customer relationship management (CRM) platform, exploitation could lead to significant data exposure or session hijacking within affected organizations. The requirement for user interaction suggests that successful exploitation may involve social engineering or tricking users into clicking crafted links or interacting with malicious content within the Dynamics 365 environment.

For European organizations, this vulnerability poses a significant risk due to the widespread adoption of Microsoft Dynamics 365 for critical business operations such as sales, customer management, and enterprise resource planning. Successful exploitation could lead to unauthorized disclosure of sensitive business data, including customer information, financial records, and internal communications. This could result in regulatory non-compliance, especially under GDPR, leading to potential fines and reputational damage. The integrity impact is limited, but attackers could leverage stolen session tokens or credentials to escalate privileges or move laterally within the network. The lack of availability impact means service disruption is unlikely, but data confidentiality breaches alone can have severe consequences. Organizations in sectors with high data sensitivity such as finance, healthcare, and government are particularly at risk. Additionally, the requirement for user interaction means phishing or targeted social engineering campaigns could be used to facilitate exploitation, increasing the threat surface. The vulnerability’s scope change indicates that the attacker might affect other components or services beyond the immediate Dynamics 365 instance, potentially broadening the impact within complex IT environments.

1. Apply the latest security updates and patches from Microsoft as soon as they become available for Dynamics 365 (on-premises) version 9.1 and related versions. Even though no patch link is provided, monitoring Microsoft’s official security advisories is critical. 2. Implement strict input validation and output encoding on all user-supplied data within customizations or extensions of Dynamics 365 to prevent injection of malicious scripts. 3. Employ Content Security Policy (CSP) headers to restrict the execution of untrusted scripts in the Dynamics 365 web interface. 4. Educate users on the risks of phishing and social engineering, emphasizing caution when interacting with unexpected links or content within Dynamics 365 portals. 5. Restrict user privileges to the minimum necessary, especially limiting the ability to inject or modify web content, to reduce the attack surface. 6. Monitor logs and network traffic for unusual activities that may indicate attempted exploitation, such as suspicious URL parameters or script injections. 7. Consider deploying Web Application Firewalls (WAF) with rules tuned to detect and block XSS payloads targeting Dynamics 365 endpoints. 8. Review and harden any custom plugins or third-party integrations with Dynamics 365 to ensure they do not introduce additional injection points.