Dynamics CRM 2013 SP1 security vulnerability sparks 'all hands on deck' response from Microsoft

A "DOM-based self-XSS vulnerability" for Microsoft Dynamics CRM 2013 SP1 was recently discovered by IT security firm High-Tech Bridge. If exploited, it could be used for cross-site scripting (XSS) attacks against authenticated Dynamics CRM users.

Microsoft responded to the security firm's report by stating that it "does not consider self-XSS issues to be security vulnerabilities," based on standard policies. But a source tells MSDynamicsWorld.com that behind the scenes Microsoft has treated this discovery as an "all hands on deck" issue. They are actively working on a fix for the vulnerability that will be added to an upcoming release or update.

UPDATE: Microsoft has provided the following statement on the matter:


Requires FREE Membership to View

Become a Member Joining MSDynamicsWorld.com gives you free, unlimited access to news, analysis, white papers, case studies, product brochures, and more, and it’s all FREE. You’ll also receive periodic email newsletters with the latest relevant articles and content updates.
About Jason Gumpert

As the editor of MSDynamicsWorld.com, Jason oversees all editorial content on the site and at our events, as well as providing site management and strategy. He can be reached at jgumpert@msdynamicsworld.com.

Prior to co-founding MSDynamicsWorld.com, Jason was a Principal Software Consultant at Parametric Technology Corporation (PTC), where he implemented solutions, trained customers, managed software development, and spent some time in the pre-sales engineering organization. He has also held consulting positions at CSC Consulting and Monitor Group.

Read full bio...

CRM 2013 SP1 Update Rollup 1

According to High-Tech Bridge.
Vulnerable Versions:( (DB which is CRM 2013 SP1 Update Rollup 1.

Thanks, we'll update that point.