Microsoft has fixed four security vulnerabilities affecting its artificial intelligence (AI), cloud, enterprise resource planning and Partner Center offerings, including one that it says was wildly exploited.
The vulnerability that was tagged with an “Exploitation Detected” rating is CVE-2024-49035 (CVSS score: 8.7), a privilege escalation vulnerability in Partner.Microsoft(.)com.
“An improper access control vulnerability in Partner.Microsoft(.)com allows an unauthenticated attacker to escalate privileges on a network,” the tech giant said in an advisory published this week.
Microsoft credited Gautam Peri, Apoorv Wadhwa and an anonymous researcher for reporting the flaw, but revealed no details about how it is exploited in real-world attacks.
Fixes for gaps are deployed automatically as part of updates to the online version of Microsoft Power Apps. Redmond also addresses three other vulnerabilities, two of which are rated critical and one of which is rated important in terms of severity:
- CVE-2024-49038 (CVSS score: 9.3) – A cross-site scripting (XSS) vulnerability in Copilot Studio that could allow an unauthorized attacker to elevate privileges on a network.
- CVE-2024-49052 (CVSS score: 8.2) – Missing authentication for a critical function in Microsoft Azure PolicyWatch that could allow an unauthorized attacker to elevate privileges on a network
- CVE-2024-49053 (CVSS score: 7.6) – A spoofing vulnerability in Microsoft Dynamics 365 Sales that could allow an authenticated attacker to trick a user into clicking on a specially crafted URL and potentially redirect the victim to a malicious site.
Although most of the vulnerabilities have already been fully mitigated and do not require any user action, it is advisable to update the Dynamics 365 Sales apps for Android and iOS to the latest version (3.24104.15) to protect against CVE-2024-49053.