Microsoft has fixed four vulnerabilities in its services. The vulnerabilities were detected in Microsoft Copilot Studio, the Partner.Microsoft.Com portal, Azure PolicyWatch, and Dynamics 365 Sales.
On November 26th, Microsoft released four new security advisories.
Microsoft Copilot Studio, a platform for developers to build their AI agents and write code faster using automation, was affected by a critical 9.3 out of 10 vulnerability (CVE-2024-49038). The tech giant said it fully mitigated this flaw, and there are no further actions for users to take.
“Improper neutralization of input during web page generation ('Cross-site Scripting') in Copilot Studio by an unauthorized attacker leads to elevation of privilege over a network,” Microsoft said.
Partner.Microsoft.Com, the official portal for Microsoft partners that offers resources and tools, was affected by a high severity 8.7/10 elevation of privilege vulnerability, labeled CVE-2024-49035,
Microsoft detected exploitation of this improper access control flaw in the wild. Unauthenticated attackers could use it to elevate privileges over a network. Users don’t need to take any action – automatic patches are being rolled out over several days.
Microsoft Azure PolicyWatch, a service within Microsoft Azure that allows organizations to create, assign, and manage policies, was affected by an 8.2/10 flaw (CVE-2024-49052).
“Missing authentication for critical function in Microsoft Azure PolicyWatch allows an unauthorized attacker to elevate privileges over a network,” the description reads.
Microsoft said the vulnerability has been fully mitigated, and users of this service need not take any action.
Microsoft Dynamics 365 Sales, a cloud-based customer relationship management (CRM) solution, was affected by an important 7.6 out of 10 spoofing vulnerability (CVE-2024-49053).
It enabled potential attackers to modify the content of the vulnerable link to redirect the victim to a malicious site. Attackers needed to be authenticated to exploit this vulnerability. However, it did not require higher privileges, such as admin. The user would need to lick on a specially crafted URL for a chance to be compromised by the attacker.
“The vulnerability is in the web server, but the malicious scripts execute in the victim’s browser on their machine,” Microsoft said.
However, there are no signs of exploitation of this previously undisclosed flaw.
Your email address will not be published. Required fields are markedmarked