Information security company High-Tech Bridge has uncovered a flaw in the Microsoft Dynamics CRM package that could allow the insertion of malicious code.
The self-XSS issue isn't currently recognised by Microsoft itself as a flaw but could trick a logged in user into putting malicious HTML and script code into the 'newUsers_ledit' input field on vulnerable websites that are thought to be secure.
"Taking into consideration that same vulnerabilities were actively and successfully exploited by hackers in 2014, this XSS vulnerability is pretty serious, despite the 'low' category we assigned due to this being a relatively complex exploitation. I think that Microsoft's decision not to patch the vulnerability is wrong as, regardless of their general policy, they should think about their customers' security first and foremost," says Ilia Kolocheno, CEO of High-Tech Bridge and Chief Architect of ImmuniWeb. "Such vulnerabilities could potentially be ignored in the past, but not in 2015, especially in such popular and sensitive products as Dynamics CRM".
Dynamics CRM is used by the US government among others. High-Tech Bridge's security advisory says that it could be exploited using a social engineering technique to get a user to copy some seemingly legitimate text from a specially prepared malicious document to their clipboard and then paste it into the vulnerable web page.
It recommends that companies protect themselves by blocking access to the vulnerable script using a firewall or web server configuration as a temporary solution.
You can read the full advisory on the High-Tech Bridge website or there's a video explaining how it could be exploited below.
Photo Credit: Sergey Nivens/Shutterstock