Vulnerability Details CVE-2019-1229
An elevation of privilege vulnerability exists in Dynamics On-Premise v9. An attacker who successfully exploited the vulnerability could leverage a customizer privilege within Dynamics to gain control of the Web Role hosting the Dynamics installation.
To exploit this vulnerability, an attacker needs to have credentials for a user that has permission to author customized business rules in Dynamics, and persist XAML script in a way that causes it to be interpreted as code.
The update addresses the vulnerability by restricting XAML activities to a whitelisted set.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.099
EPSS Ranking 92.6%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.5
References
Products affected by CVE-2019-1229
-
cpe:2.3:a:microsoft:dynamics_365:9.0