{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Microsoft heeft kwetsbaarheden verholpen in Dynamics.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "Een kwaadwillende kan de kwetsbaarheden misbruiken om een Cross-Site-Scripting-aanval uit te voeren. Een dergelijke aanval kan leiden tot uitvoer van willekeurige code in de browser van het slachtoffer, of toegang tot gevoelige gegevens in de context van de browser van het slachtoffer.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Microsoft heeft updates beschikbaar gesteld waarmee de beschreven kwetsbaarheden worden verholpen. We raden u aan om deze updates te installeren. Meer informatie over de kwetsbaarheden, de installatie van de updates en eventuele work-arounds vindt u op:\n\nhttps://portal.msrc.microsoft.com/en-us/security-guidance",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
        "title": "CWE-601"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
        "title": "CWE-79"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "title": "Kwetsbaarheden verholpen in Microsoft Dynamics",
    "tracking": {
      "current_release_date": "2024-08-13T18:22:21.160613Z",
      "id": "NCSC-2024-0338",
      "initial_release_date": "2024-08-13T18:22:21.160613Z",
      "revision_history": [
        {
          "date": "2024-08-13T18:22:21.160613Z",
          "number": "0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "dynamics_365",
            "product": {
              "name": "dynamics_365",
              "product_id": "CSAFPID-1606774",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:microsoft:dynamics_365:-:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "dynamics_crm_service_portal_web_resource",
            "product": {
              "name": "dynamics_crm_service_portal_web_resource",
              "product_id": "CSAFPID-1613649",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:microsoft:dynamics_crm_service_portal_web_resource:-:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "dynamics_crm_service_portal_web_resource",
            "product": {
              "name": "dynamics_crm_service_portal_web_resource",
              "product_id": "CSAFPID-1606656",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:microsoft:dynamics_crm_service_portal_web_resource:*:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "dynamics_crm_service_portal_web_resource",
            "product": {
              "name": "dynamics_crm_service_portal_web_resource",
              "product_id": "CSAFPID-1607407",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:microsoft:dynamics_crm_service_portal_web_resource:n_a:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "microsoft_dynamics_365__on-premises__version_9.1",
            "product": {
              "name": "microsoft_dynamics_365__on-premises__version_9.1",
              "product_id": "CSAFPID-1455733",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:microsoft:microsoft_dynamics_365__on-premises__version_9.1:9.0:*:*:*:*:*:*:*"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "microsoft"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-38166",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "title": "CWE-79"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1613649",
          "CSAFPID-1606774",
          "CSAFPID-1607407"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-38166",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38166.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1613649",
            "CSAFPID-1606774",
            "CSAFPID-1607407"
          ]
        }
      ],
      "title": "CVE-2024-38166"
    },
    {
      "cve": "CVE-2024-38211",
      "cwe": {
        "id": "CWE-601",
        "name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
          "title": "CWE-601"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1455733"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-38211",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38211.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1455733"
          ]
        }
      ],
      "title": "CVE-2024-38211"
    }
  ]
}

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Microsoft heeft kwetsbaarheden verholpen in Dynamics.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "Een kwaadwillende kan de kwetsbaarheden misbruiken om een Cross-Site-Scripting-aanval uit te voeren. Een dergelijke aanval kan leiden tot uitvoer van willekeurige code in de browser van het slachtoffer, of toegang tot gevoelige gegevens in de context van de browser van het slachtoffer.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Microsoft heeft updates beschikbaar gesteld waarmee de beschreven kwetsbaarheden worden verholpen. We raden u aan om deze updates te installeren. Meer informatie over de kwetsbaarheden, de installatie van de updates en eventuele work-arounds vindt u op:\n\nhttps://portal.msrc.microsoft.com/en-us/security-guidance",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
        "title": "CWE-601"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
        "title": "CWE-79"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "title": "Kwetsbaarheden verholpen in Microsoft Dynamics",
    "tracking": {
      "current_release_date": "2024-08-13T18:22:21.160613Z",
      "id": "NCSC-2024-0338",
      "initial_release_date": "2024-08-13T18:22:21.160613Z",
      "revision_history": [
        {
          "date": "2024-08-13T18:22:21.160613Z",
          "number": "0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "dynamics_365",
            "product": {
              "name": "dynamics_365",
              "product_id": "CSAFPID-1606774",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:microsoft:dynamics_365:-:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "dynamics_crm_service_portal_web_resource",
            "product": {
              "name": "dynamics_crm_service_portal_web_resource",
              "product_id": "CSAFPID-1613649",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:microsoft:dynamics_crm_service_portal_web_resource:-:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "dynamics_crm_service_portal_web_resource",
            "product": {
              "name": "dynamics_crm_service_portal_web_resource",
              "product_id": "CSAFPID-1606656",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:microsoft:dynamics_crm_service_portal_web_resource:*:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "dynamics_crm_service_portal_web_resource",
            "product": {
              "name": "dynamics_crm_service_portal_web_resource",
              "product_id": "CSAFPID-1607407",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:microsoft:dynamics_crm_service_portal_web_resource:n_a:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "microsoft_dynamics_365__on-premises__version_9.1",
            "product": {
              "name": "microsoft_dynamics_365__on-premises__version_9.1",
              "product_id": "CSAFPID-1455733",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:microsoft:microsoft_dynamics_365__on-premises__version_9.1:9.0:*:*:*:*:*:*:*"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "microsoft"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-38166",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "title": "CWE-79"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1613649",
          "CSAFPID-1606774",
          "CSAFPID-1607407"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-38166",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38166.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1613649",
            "CSAFPID-1606774",
            "CSAFPID-1607407"
          ]
        }
      ],
      "title": "CVE-2024-38166"
    },
    {
      "cve": "CVE-2024-38211",
      "cwe": {
        "id": "CWE-601",
        "name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
          "title": "CWE-601"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1455733"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-38211",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38211.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1455733"
          ]
        }
      ],
      "title": "CVE-2024-38211"
    }
  ]
}

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Microsoft Dynamics 365 ist eine All-in-One-Unternehmensmanagementl\u00f6sung.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein anonymer Angreifer kann eine Schwachstelle in Microsoft Dynamics 365 ausnutzen, um einen Cross-Site-Scripting-Angriff zu starten.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-1824 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1824.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-1824 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1824"
      },
      {
        "category": "external",
        "summary": "Microsoft Leitfaden f\u00fcr Sicherheitsupdates vom 2024-08-13",
        "url": "https://msrc.microsoft.com/update-guide"
      }
    ],
    "source_lang": "en-US",
    "title": "Microsoft Dynamics 365: Schwachstelle erm\u00f6glicht Cross-Site Scripting",
    "tracking": {
      "current_release_date": "2024-08-13T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:12:12.950+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2024-1824",
      "initial_release_date": "2024-08-13T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-08-13T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "(on-premises) version 9.1 \u003c1.31",
                "product": {
                  "name": "Microsoft Dynamics 365 (on-premises) version 9.1 \u003c1.31",
                  "product_id": "T036768"
                }
              }
            ],
            "category": "product_name",
            "name": "Dynamics 365"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-38211",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Cross-Site Scripting-Schwachstelle in Microsoft Dynamics 365. Dieses Problem wird durch eine unsachgem\u00e4\u00dfe Filterung der vom Benutzer bereitgestellten Daten vor der Anzeige der Eingaben verursacht. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Skriptcode im Sicherheitskontext einer betroffenen Website auszuf\u00fchren. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
        }
      ],
      "release_date": "2024-08-13T22:00:00.000+00:00",
      "title": "CVE-2024-38211"
    }
  ]
}

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Microsoft Dynamics 365 ist eine All-in-One-Unternehmensmanagementl\u00f6sung.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein anonymer Angreifer kann eine Schwachstelle in Microsoft Dynamics 365 ausnutzen, um einen Cross-Site-Scripting-Angriff zu starten.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-1824 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1824.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-1824 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1824"
      },
      {
        "category": "external",
        "summary": "Microsoft Leitfaden f\u00fcr Sicherheitsupdates vom 2024-08-13",
        "url": "https://msrc.microsoft.com/update-guide"
      }
    ],
    "source_lang": "en-US",
    "title": "Microsoft Dynamics 365: Schwachstelle erm\u00f6glicht Cross-Site Scripting",
    "tracking": {
      "current_release_date": "2024-08-13T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:12:12.950+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2024-1824",
      "initial_release_date": "2024-08-13T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-08-13T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "(on-premises) version 9.1 \u003c1.31",
                "product": {
                  "name": "Microsoft Dynamics 365 (on-premises) version 9.1 \u003c1.31",
                  "product_id": "T036768"
                }
              }
            ],
            "category": "product_name",
            "name": "Dynamics 365"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-38211",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Cross-Site Scripting-Schwachstelle in Microsoft Dynamics 365. Dieses Problem wird durch eine unsachgem\u00e4\u00dfe Filterung der vom Benutzer bereitgestellten Daten vor der Anzeige der Eingaben verursacht. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Skriptcode im Sicherheitskontext einer betroffenen Website auszuf\u00fchren. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
        }
      ],
      "release_date": "2024-08-13T22:00:00.000+00:00",
      "title": "CVE-2024-38211"
    }
  ]
}

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "\u003ca href=\"https://www.linkedin.com/in/michaelboeynaems/\"\u003eMichael Boeynaems\u003c/a\u003e with \u003ca href=\"https://www.splynter.be/\"\u003eSplynter\u003c/a\u003e"
        ]
      },
      {
        "names": [
          "Felix Boulet with \u003ca href=\"https://www.cyber.gouv.qc.ca/\"\u003eCentre gouvernemental de cyberd\u0026#233;fense (CGCD)\u003c/a\u003e"
        ]
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      },
      {
        "category": "general",
        "text": "Required. The vulnerability documented by this CVE requires customer action to resolve.",
        "title": "Customer Action"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2024-38211 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability - HTML",
        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38211"
      },
      {
        "category": "self",
        "summary": "CVE-2024-38211 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability - CSAF",
        "url": "https://msrc.microsoft.com/csaf/advisories/2024/msrc_cve-2024-38211.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Exploitability Index",
        "url": "https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability",
    "tracking": {
      "current_release_date": "2024-08-14T07:00:00.000Z",
      "generator": {
        "date": "2025-07-10T16:32:58.524Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2024-38211",
      "initial_release_date": "2024-08-13T07:00:00.000Z",
      "revision_history": [
        {
          "date": "2024-08-13T07:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2024-08-14T07:00:00.000Z",
          "legacy_version": "1.1",
          "number": "2",
          "summary": "Corrected Download links in the Security Updates table. This is an informational change only."
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003c1.31",
            "product": {
              "name": "Microsoft Dynamics 365 (on-premises) version 9.1 \u003c1.31",
              "product_id": "1"
            }
          },
          {
            "category": "product_version",
            "name": "1.31",
            "product": {
              "name": "Microsoft Dynamics 365 (on-premises) version 9.1 1.31",
              "product_id": "11921"
            }
          }
        ],
        "category": "product_name",
        "name": "Microsoft Dynamics 365 (on-premises) version 9.1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-38211",
      "cwe": {
        "id": "CWE-601",
        "name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
      },
      "notes": [
        {
          "category": "general",
          "text": "Microsoft",
          "title": "Assigning CNA"
        },
        {
          "category": "faq",
          "text": "The attacker is only able to modify the content of the vulnerable link to redirect the victim to a malicious site.",
          "title": "According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?"
        },
        {
          "category": "faq",
          "text": "The vulnerability is in the web server, but the malicious scripts execute in the victim\u2019s browser on their machine.",
          "title": "According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?"
        },
        {
          "category": "faq",
          "text": "The user would have to click on a specially crafted URL to be compromised by the attacker.",
          "title": "According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?"
        }
      ],
      "product_status": {
        "fixed": [
          "11921"
        ],
        "known_affected": [
          "1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-38211 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability - HTML",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38211"
        },
        {
          "category": "self",
          "summary": "CVE-2024-38211 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability - CSAF",
          "url": "https://msrc.microsoft.com/csaf/advisories/2024/msrc_cve-2024-38211.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-08-13T07:00:00.000Z",
          "details": "1.31:Security Update:https://support.microsoft.com/help/5041557",
          "product_ids": [
            "1"
          ],
          "url": "https://support.microsoft.com/help/5041557"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalsScore": 0.0,
            "exploitCodeMaturity": "UNPROVEN",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "remediationLevel": "OFFICIAL_FIX",
            "reportConfidence": "CONFIRMED",
            "scope": "CHANGED",
            "temporalScore": 7.1,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Spoofing"
        },
        {
          "category": "exploit_status",
          "details": "Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely"
        }
      ],
      "title": "Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability"
    }
  ]
}

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-38211",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-38211"
    }
  },
  "description": "Microsoft Dynamics 365\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u7684\u4e00\u5957\u9002\u7528\u4e8e\u8de8\u56fd\u4f01\u4e1a\u7684ERP\u4e1a\u52a1\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u4ea7\u54c1\u5305\u62ec\u8d22\u52a1\u7ba1\u7406\u3001\u751f\u4ea7\u7ba1\u7406\u548c\u5546\u4e1a\u667a\u80fd\u7ba1\u7406\u7b49\u3002\n\nMicrosoft Dynamics 365 (on-premises)\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7a83\u53d6\u53d7\u5bb3\u8005\u57fa\u4e8ecookie\u7684\u8eab\u4efd\u9a8c\u8bc1\u51ed\u636e\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-38211",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-40537",
  "openTime": "2024-10-14",
  "patchDescription": "Microsoft Dynamics 365\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u7684\u4e00\u5957\u9002\u7528\u4e8e\u8de8\u56fd\u4f01\u4e1a\u7684ERP\u4e1a\u52a1\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u4ea7\u54c1\u5305\u62ec\u8d22\u52a1\u7ba1\u7406\u3001\u751f\u4ea7\u7ba1\u7406\u548c\u5546\u4e1a\u667a\u80fd\u7ba1\u7406\u7b49\u3002\r\n\r\nMicrosoft Dynamics 365 (on-premises)\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7a83\u53d6\u53d7\u5bb3\u8005\u57fa\u4e8ecookie\u7684\u8eab\u4efd\u9a8c\u8bc1\u51ed\u636e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Microsoft Dynamics 365 (on-premises)\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2024-40537\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Microsoft Dynamics 365 (on-premises) 9.1"
  },
  "referenceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38211",
  "serverity": "\u9ad8",
  "submitTime": "2024-08-16",
  "title": "Microsoft Dynamics 365 (on-premises)\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2024-40537\uff09"
}

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "CBL Mariner 1.0 ARM versions ant\u00e9rieures \u00e0 2.06~rc1-10",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "CBL Mariner 2.0 x64 versions ant\u00e9rieures \u00e0 2.06-10",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "CBL Mariner 2.0 ARM versions ant\u00e9rieures \u00e0 2.06-10",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "CBL Mariner 1.0 ARM versions ant\u00e9rieures \u00e0 2.06~rc1-9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2022 version 17.6 ant\u00e9rieures \u00e0 17.6.18",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "CBL Mariner 1.0 x64 versions ant\u00e9rieures \u00e0 2.06~rc1-9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "CBL Mariner 2.0 x64 versions ant\u00e9rieures \u00e0 2.06-8",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "CBL Mariner 2.0 ARM versions ant\u00e9rieures \u00e0 2.06-8",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Teams pour iOS versions ant\u00e9rieures \u00e0 7.13.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "CBL Mariner 1.0 x64 versions ant\u00e9rieures \u00e0 2.06~rc1-10",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2022 version 17.10 ant\u00e9rieures \u00e0 17.10.6",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2022 version 17.8 ant\u00e9rieures \u00e0 17.8.13",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics 365 (on-premises) version 9.1 ant\u00e9rieures \u00e0 1.31",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "App Installer versions ant\u00e9rieures \u00e0 1.22.11261.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-38167",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38167"
    },
    {
      "name": "CVE-2024-38211",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38211"
    },
    {
      "name": "CVE-2024-38197",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38197"
    },
    {
      "name": "CVE-2022-2601",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-2601"
    },
    {
      "name": "CVE-2024-38177",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38177"
    },
    {
      "name": "CVE-2024-38168",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38168"
    },
    {
      "name": "CVE-2022-3775",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-3775"
    }
  ],
  "initial_release_date": "2024-08-14T00:00:00",
  "last_revision_date": "2024-08-14T00:00:00",
  "links": [],
  "reference": "CERTFR-2024-AVI-0684",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-08-14T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Microsoft. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
  "vendor_advisories": [
    {
      "published_at": "2024-08-13",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2022-3775",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3775"
    },
    {
      "published_at": "2024-08-13",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2024-38177",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38177"
    },
    {
      "published_at": "2024-08-13",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2024-38167",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38167"
    },
    {
      "published_at": "2024-08-13",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2022-2601",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2601"
    },
    {
      "published_at": "2024-08-13",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2024-38168",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38168"
    },
    {
      "published_at": "2024-08-13",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2024-38211",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38211"
    },
    {
      "published_at": "2024-08-13",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2024-38197",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38197"
    }
  ]
}

{
  "affected": [],
  "aliases": [
    "CVE-2024-38211"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601",
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-13T18:15:30Z",
    "severity": "HIGH"
  },
  "details": "Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability",
  "id": "GHSA-v68h-j2w8-x6w3",
  "modified": "2024-08-13T18:31:17Z",
  "published": "2024-08-13T18:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38211"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38211"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microsoft:dynamics_365:9.1:*:*:*:on-premises:*:*:*",
              "matchCriteriaId": "5ADE397C-8342-48C2-8A26-2C5A4E367975",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability"
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de cross site scripting en Microsoft Dynamics 365 (local)"
    }
  ],
  "id": "CVE-2024-38211",
  "lastModified": "2024-08-15T20:29:19.557",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.7,
        "source": "secure@microsoft.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-08-13T18:15:30.470",
  "references": [
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38211"
    }
  ],
  "sourceIdentifier": "secure@microsoft.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ],
      "source": "secure@microsoft.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}