Microsoft has addressed four security flaws affecting its artificial intelligence (AI), cloud, ERP, and Partner Center offerings, including one it said was exploited randomly.
The vulnerability marked as “Exploitation Detected” is CVE-2024-49035 (CVSS score: 8.7), a privilege escalation vulnerability in partner.microsoft(.)com.
“An inappropriate access control vulnerability in partner.microsoft(.)com allows an unauthenticated attacker to elevate privileges across the network,” the tech giant said in an advisory released this week.
Microsoft credited Gautam Peri, Apoorv Wadhwa, and an anonymous researcher for reporting the flaw, but did not reveal any details about how it was exploited in real-life attacks.
Fixes for deficiencies are automatically rolled out as part of updates for the online version of Microsoft Power Apps. Redmond also addressed three other vulnerabilities, two of which are rated as critical and one of which is rated as critical –
CVE-2024-49038 (CVSS score: 9.3) – Cross-site scripting (XSS) vulnerability in Copilot Studio that could allow an unauthorized attacker to escalate privileges across the network CVE-2024-49052 (CVSS score: 8.2) – Missing authentication A critical vulnerability in Microsoft Azure PolicyWatch that could allow an unauthorized attacker to escalate privileges across the network CVE-2024-49053 (CVSS score: 7.6) – A spoofing vulnerability in Microsoft Dynamics 365 Sales could allow an authenticated attacker to trick a user into clicking a specially crafted URL and potentially redirect the victim to a malicious site
Although most of the vulnerabilities are already fully mitigated and do not require any user action, it is recommended to update Dynamics 365 Sales apps for Android and iOS to the latest version (3.24104.15) to secure against CVE-2024-49053.
