This script vulnerability has been reported by Satnam Singh. Singh is an independent researcher and has reported multiple vulnerabilities in Microsoft products. In this report, Singh has shared a Proof of Concept (PoC) which can be used to exploit Cross-Site Scripting (XSS) vulnerability in Dynamics 365. This XSS vulnerability can be exploited by an attacker to inject malicious script in to the application and cause a Denial of Service (DoS) or man-in-the-middled (MitM) attack.
Exploitation of this script vulnerability requires user to be logged in to the application. There are multiple ways in which this XSS can be exploited. One of the ways is through direct user-to-user request where an attacker can send a request to a user that has access to that user’s account. Another way is where an attacker can send a request to an admin user which has access to that admin user’s account.
We can see that the XSS which is created through the PoC is present in the login form. This can be exploited by an attacker to send malicious script to the application and cause a DoS or MitM attack.
Description of the vulnerability
The vulnerability has been reported by Satnam Singh, who is an independent researcher and has reported multiple vulnerabilities in Microsoft products. In this report, Singh has shared a Proof of Concept (PoC) which can be used to exploit Cross-Site Scripting (XSS) vulnerability in Dynamics 365. This XSS vulnerability can be exploited by an attacker to inject malicious script in to the application and cause a Denial of Service (DoS) or man-in-the-middled (MitM) attack.
Exploitation of this script vulnerability requires user to be logged in to the application. There are multiple ways in which this XSS can be exploited. One of the ways is through direct user-to-user request where an attacker can send a request to a user that has access to that user’s account. Another way is where an attacker can send a request to an admin user which has access to that admin user’s account.
We can see that the XSS which is created through the PoC is present in the login form. This can be exploited by an attacker to send malicious script to the application and cause a DoS or MitM attack.
Steps to reproduce the demo
Follow the steps below to reproduce the vulnerability.
1. Login to the Dynamics 365 application.
2. Fill in your username and password as per normal and click on login button.
3. Send a POST request to http://mycompanyname/admin/login with following payload:
How to Bypass Dynamics 365 Login Page
To bypass the login page, we need to create a dummy account and set our session cookie to that dummy account. After doing this, we will be able to log in with our fake account.
We can create a dummy user in Dynamics 365 by following these steps:
1) Click on User Accounts (top-right of the screen)
2) Click on Create New User button> Give a name and email address and click Save.
3) You now have a new user - click on their name so you can see their profile information> Go back to the home page
Attack Vector
The PoC which is created by Singh has multiple attack vectors. An attacker can send a request to a user that has access to that user’s account. Another way an attacker can exploit this XSS vulnerability is by sending a request to an admin user which has access to that admin user’s account.
There are multiple ways in which this XSS vulnerability can be exploited and the most common one is through direct user-to-user request where an attacker can send a request to a user that has access to that user’s account and cause a DoS or MitM attack.
CWE Identification
The following text is a brief description of the potential vulnerability. The Common Weakness Enumeration (CWE) ID is CVE-2022-21932.
Timeline
Published on: 01/11/2022 21:15:00 UTC
Last modified on: 01/20/2022 18:48:00 UTC