CVE-2023-36020 in Dynamics 365
Summary
by MITRE • 12/12/2023
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/09/2026
Microsoft Dynamics 365 on-premises installations face a critical cross-site scripting vulnerability that stems from inadequate input validation and output encoding mechanisms within the web application framework. This weakness allows authenticated attackers with limited privileges to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, data exfiltration, or privilege escalation. The vulnerability manifests when user-supplied data is improperly sanitized before being rendered in web responses, creating an attack surface that aligns with CWE-79 - Improper Neutralization of Input During Web Page Generation. The flaw exists in the server-side rendering logic that processes form inputs, query parameters, and other user-controllable data without sufficient sanitization measures.
The operational impact of this vulnerability extends beyond simple script execution as it can enable attackers to manipulate the application's behavior and access sensitive organizational data. An attacker could craft malicious payloads that exploit the XSS vulnerability to steal session cookies, redirect users to malicious sites, or inject persistent scripts that execute in the context of other users' sessions. This type of vulnerability directly maps to ATT&CK technique T1531 - Account Access Removal and T1071.001 - Application Layer Protocol: Web Protocols, as it leverages web application weaknesses to gain unauthorized access to user sessions and potentially compromise the entire Dynamics 365 environment. The attack vector typically involves sending crafted requests through the Dynamics 365 web interface where the application fails to properly validate or encode user inputs before displaying them in subsequent web responses.
Organizations running on-premises Dynamics 365 deployments face significant risk from this vulnerability as it can serve as a stepping stone for more extensive attacks within their network infrastructure. The vulnerability's exploitation requires minimal privileges and can be executed through standard web application interfaces, making it particularly dangerous in environments where Dynamics 365 serves as a central business application. The threat landscape surrounding this vulnerability includes both automated scanning tools that can identify such flaws and sophisticated attackers who may use it to establish persistent access to corporate networks. Security controls should address the root cause through comprehensive input validation, output encoding, and proper sanitization of all user-supplied data before rendering in web contexts. Microsoft has released security updates and patches to address this specific vulnerability, and organizations should implement these immediately to mitigate the risk of exploitation. Additional mitigations include implementing content security policies, using web application firewalls, and conducting regular security assessments to identify similar vulnerabilities in custom extensions or third-party integrations that may exist within the Dynamics 365 environment.