CVE-2023-36410 is a cross-site scripting (XSS) vulnerability classified under CWE-79 that affects Microsoft Dynamics 365 (on-premises) version 9.1 and also impacts version 9.0. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows an attacker with at least low privileges and requiring user interaction to inject malicious scripts. These scripts execute in the context of other users, potentially leading to unauthorized disclosure of sensitive information (high confidentiality impact) and limited integrity impact, as the attacker can manipulate client-side scripts but cannot directly alter server-side data or availability. The vulnerability is remotely exploitable over the network (AV:N), requires low attack complexity (AC:L), and privileges (PR:L), with user interaction (UI:R) necessary. The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The CVSS v3.1 base score is 7.6, indicating a high severity level. No public exploits have been reported yet, but the vulnerability is recognized and published by Microsoft and CISA. The vulnerability affects on-premises deployments of Microsoft Dynamics 365, a widely used enterprise resource planning and customer relationship management platform, which is often integrated with other business-critical systems.

For European organizations, this vulnerability poses a significant risk to confidentiality due to the potential for attackers to execute scripts that can steal session tokens, credentials, or sensitive business data accessible through Dynamics 365 portals. Given the widespread use of Microsoft Dynamics 365 in sectors such as finance, manufacturing, and public administration across Europe, exploitation could lead to data breaches, compliance violations (e.g., GDPR), and reputational damage. The requirement for low privileges and user interaction lowers the barrier for exploitation, especially in environments with many users and complex workflows. Although availability and integrity impacts are limited, the confidentiality breach alone can have severe consequences, including unauthorized access to customer data and internal business processes. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after public disclosure.

European organizations should prioritize patching affected Microsoft Dynamics 365 (on-premises) instances as soon as Microsoft releases official updates. Until patches are available, organizations should implement strict input validation and sanitization on all user inputs within Dynamics 365 portals and related web components to prevent script injection. Deploying and tuning web application firewalls (WAFs) to detect and block typical XSS payloads targeting Dynamics 365 can reduce exposure. Additionally, organizations should review user privilege assignments to ensure the principle of least privilege is enforced, minimizing the number of users with the ability to inject malicious content. Security awareness training should emphasize the risk of interacting with suspicious links or content within Dynamics 365 interfaces. Monitoring logs for unusual activity related to web requests and user sessions can help detect potential exploitation attempts early. Finally, consider isolating or segmenting Dynamics 365 on-premises environments to limit lateral movement in case of compromise.