CVE-2020-16956
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in Microsoft Dynamics 365 (on-premises) that allows authenticated attackers to inject malicious scripts into web requests. When exploited, these scripts execute in the security context of the current authenticated user, potentially enabling unauthorized data access, privilege escalation, or content manipulation. Only organizations running vulnerable on-premises Dynamics 365 installations are affected.
💻 Affected Systems
- Microsoft Dynamics 365 (on-premises)
📦 What is this software?
Dynamics 365 by Microsoft
Dynamics 365 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could perform actions as any user, including administrators, leading to complete system compromise, data theft, and persistent backdoor installation.
Likely Case
Attackers with standard user credentials could steal session cookies, perform unauthorized actions within their permission scope, or deface internal applications.
If Mitigated
With proper input validation and output encoding, the vulnerability would be neutralized, preventing script execution even if malicious input reaches the server.
🎯 Exploit Status
Exploitation requires authenticated access to the Dynamics server. The vulnerability involves improper input sanitization, making exploitation straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Update or Dynamics 365 update channels for specific patch version
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16956
Restart Required: Yes
Instructions:
1. Apply the security update from Microsoft Update or Dynamics 365 update channels. 2. Restart the Dynamics server and any related services. 3. Verify the update was successfully applied.
🔧 Temporary Workarounds
Implement Input Validation
allAdd server-side input validation to sanitize all user inputs before processing.
Enable Content Security Policy (CSP)
allConfigure CSP headers to restrict script execution sources and mitigate XSS impact.
🧯 If You Can't Patch
- Restrict user permissions to minimum necessary levels to limit potential damage from exploitation.
- Implement web application firewall (WAF) rules to block common XSS payloads in requests.
🔍 How to Verify
Check if Vulnerable:
Check your Dynamics 365 version against the patched versions listed in the Microsoft advisory.Check Version:
Check Dynamics 365 version through the application's admin interface or server installation logs.Verify Fix Applied:
Verify that the security update is installed via Windows Update history or Dynamics update logs, and test that malicious script inputs are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST/GET requests with script tags or JavaScript code in parameters
- Multiple failed login attempts followed by successful authentication and suspicious requests
Network Indicators:
- HTTP requests containing <script>, javascript:, or encoded payloads in URL parameters or form data
SIEM Query:
source="dynamics_logs" AND (http_request CONTAINS "<script>" OR http_request CONTAINS "javascript:")