Microsoft has addressed four security flaws affecting its artificial intelligence (AI), cloud, enterprise resource planning, and Partner Center services. One of them is actually being exploited.
The vulnerability tagged with the “Exploitation Detected” rating is partner.microsoft(.)com privilege escalation flaw CVE-2024-49035 (CVSS score: 8.7).
“An improper access control vulnerability in partner.microsoft(.)com could allow an unauthenticated attacker to escalate privileges over the network,” the tech giant said in an advisory released this week. Ta.
Microsoft acknowledged that Gautam Peri, Apoorv Wadhwa, and an anonymous researcher reported the flaw, but did not provide details on how it could be exploited in an actual attack. yeah.
Defect fixes are automatically deployed as part of updates to the online version of Microsoft Power Apps. Redmond also addressed three other vulnerabilities, two rated as Critical and one as Important.
CVE-2024-49038 (CVSS Score: 9.3) – Cross-site scripting (XSS) vulnerability in Copilot Studio could allow an unprivileged attacker to escalate privileges via the network CVE-2024-49052 (CVSS Score: 8.2) – Missing Microsoft Azure PolicyWatch Critical Feature Certification. This could allow an unprivileged attacker to escalate their privileges over the network. CVE-2024-49053 (CVSS Score: 7.6) – Spoofing vulnerability in Microsoft Dynamics 365 Sales could allow an authenticated attacker to trick a user into clicking a specially crafted URL, sending the victim to a malicious site. May be redirected.
Although most vulnerabilities are already fully mitigated and do not require any action from you, we recommend updating the Dynamics 365 Sales app for Android and iOS to the latest version (3.24104.15) to protect against CVE-2024-49053. We recommend updating.
