CVE-2023-36800
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in Microsoft Dynamics 365 Finance and Operations that allows attackers to inject malicious scripts into web pages viewed by other users. When exploited, it can lead to session hijacking, data theft, or unauthorized actions performed on behalf of legitimate users. Organizations using affected versions of Dynamics 365 Finance and Operations are vulnerable.
💻 Affected Systems
- Microsoft Dynamics 365 Finance
- Microsoft Dynamics 365 Operations
📦 What is this software?
Dynamics 365 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, perform unauthorized transactions, or deploy malware to users' browsers, potentially leading to complete system compromise and data exfiltration.
Likely Case
Attackers inject malicious scripts to steal session cookies or credentials, enabling unauthorized access to financial data and business operations within the Dynamics environment.
If Mitigated
With proper input validation, output encoding, and Content Security Policy (CSP) headers, the impact is limited to minor data leakage or no exploitation if the vulnerability is fully patched.
🎯 Exploit Status
XSS vulnerabilities typically require user interaction (e.g., clicking a malicious link) and may need some level of access or social engineering; no public exploit code is known as of the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply the July 2023 security update for Dynamics 365 Finance and Operations
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36800
Restart Required: Yes
Instructions:
1. Access the Microsoft Dynamics Lifecycle Services (LCS) portal. 2. Navigate to the environment details for your Dynamics 365 Finance and Operations deployment. 3. Apply the latest available update, specifically the July 2023 security update. 4. Restart the application servers and any related services as required by the update process.
🔧 Temporary Workarounds
Implement Content Security Policy (CSP)
allDeploy a strict CSP header to mitigate XSS by restricting script sources and inline scripts.
Add to web.config or server headers: Content-Security-Policy: default-src 'self'; script-src 'self'
Enable Input Validation and Output Encoding
windowsConfigure Dynamics or web server to validate and encode user inputs to prevent script injection.
Configure in application settings or via web server modules (e.g., use Microsoft AntiXSS library)
🧯 If You Can't Patch
- Restrict access to Dynamics interfaces using network segmentation and firewalls to limit exposure to trusted users only.
- Implement web application firewalls (WAF) with XSS protection rules to block malicious payloads before they reach the application.
🔍 How to Verify
Check if Vulnerable:
Review the Dynamics 365 version and update history in Lifecycle Services (LCS) to confirm if the July 2023 security update is applied; test for XSS by attempting to inject simple scripts in user-input fields (in a controlled manner).Check Version:
Check within Dynamics 365 Finance and Operations admin portal or LCS for current version and update status; no direct CLI command is standard.Verify Fix Applied:
Confirm the update is installed via LCS and test that script injection attempts are properly sanitized or blocked in the application interface.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests with script tags or JavaScript payloads in query parameters or form data
- Errors related to input validation failures in application logs
Network Indicators:
- HTTP traffic containing suspicious script injections or encoded payloads directed at Dynamics endpoints
SIEM Query:
source="dynamics_logs" AND (http_uri="*<script>*" OR http_body="*javascript:*")