Microsoft has fixed four security flaws affecting its artificial intelligence (AI), cloud, enterprise resource planning and partner center offerings, including one it said was being exploited in the wild.
A vulnerability marked “Exploitation Discovered” is present CVE-2024-49035 (CVSS score: 8.7), an elevation of privilege flaw at partner.microsoft(.)com.
“An improper access control vulnerability in partner.microsoft(.)com could allow an unauthenticated attacker to elevate network privileges,” the tech giant said in an advisory released this week.
Microsoft credited Gautam Perry, Apoorva Wadhwa and an anonymous researcher for reporting the flaw, but did not reveal any details about how it was used in actual attacks.
Bug fixes are automatically deployed as part of updates to the online version of Microsoft Power Apps. Redmond also patched three other vulnerabilities, two of which are rated Critical and one is Critical –
- CVE-2024-49038 (CVSS Score: 9.3) – A cross-site scripting (XSS) vulnerability in Copilot Studio could allow an unauthorized attacker to elevate network privileges
- CVE-2024-49052 (CVSS Score: 8.2) – A critical feature vulnerability in Microsoft Azure PolicyWatch lacks authentication that could allow an unauthorized attacker to elevate network privileges
- CVE-2024-49053 (CVSS Score: 7.6) – Spoofing vulnerability in Microsoft Dynamics 365 Sales that could allow an authenticated attacker to trick a user into clicking on a specially crafted URL and potentially redirect the victim to a malicious site
While most of the vulnerabilities have already been fully resolved and do not require any user action, it is recommended that you update Dynamics 365 Sales apps for Android and iOS to the latest version (3.24104.15) to protect against CVE-2024-49053.
