Dynamics CRM 2013 SP1 security vulnerability sparks 'all hands on deck' response from Microsoft
A "DOM-based self-XSS vulnerability" for Microsoft Dynamics CRM 2013 SP1 was recently discovered by IT security firm High-Tech Bridge. If exploited, it could be used for cross-site scripting (XSS) attacks against authenticated Dynamics CRM users.
Microsoft responded to the security firm's report by stating that it "does not consider self-XSS issues to be security vulnerabilities," based on standard policies. But a source tells MSDynamicsWorld.com that behind the scenes Microsoft has treated this discovery as an "all hands on deck" issue. They are actively working on a fix for the vulnerability that will be added to an upcoming release or update.
UPDATE: Microsoft has provided the following statement on the matter:
"We do not consider this a security vulnerability as it requires the use of social engineering to convince an authenticated user to enter some specific malicious code – in this instance putting it into a field on the Dynamics CRM application. We recommend that our customers always exercise caution when accepting content from untrusted sources. Additional protection guidance can be found at: www.microsoft.com/protect.”
While this self-XSS vulnerability is a potential exploit, it was discovered in Dynamics CRM 2013 SP1 Update Rollup 1. That means CRM 2013 SP1 Update Rollup 2,and CRM 2015 are not vulnerable to this particular issue. Dynamics CRM Online users would not be on the release that has this vulnerability.
(Correction: the above point was corrected to state the issue was detected in the CRM 2013 SP1 Update Rollup 1 build.)
The High-Tech Bridge post explains more about the issue:
FREE Membership Required to View Full Content:
Joining MSDynamicsWorld.com gives you free, unlimited access to news, analysis, white papers, case studies, product brochures, and more. You can also receive periodic email newsletters with the latest relevant articles and content updates.
Learn more about us hereor login