CVE-2024-38166 - Vulnerability Details - OpenCVE

An unauthenticated attacker can exploit improper neutralization of input during web page generation in Microsoft Dynamics 365 to spoof over a network by tricking a user to click on a link.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Microsoft	Dynamics Crm Service Portal Web Resource

Configuration 1 [-]

cpe:2.3:a:microsoft:dynamics_crm_service_portal_web_resource:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38166

History

Tue, 31 Dec 2024 22:45:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:microsoft:dynamics_crm_service_portal_web_resource::::::::

Mon, 12 Aug 2024 19:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:microsoft:dynamics_crm_service_portal_web_resource:-:::::::*

Wed, 07 Aug 2024 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 06 Aug 2024 21:45:00 +0000

Type	Values Removed	Values Added
Description		An unauthenticated attacker can exploit improper neutralization of input during web page generation in Microsoft Dynamics 365 to spoof over a network by tricking a user to click on a link.
Title		Microsoft Dynamics 365 Cross-site Scripting Vulnerability
First Time appeared		Microsoft Microsoft dynamics Crm Service Portal Web Resource
Weaknesses		CWE-79
CPEs		cpe:2.3:a:microsoft:dynamics_crm_service_portal_web_resource::::::::
Vendors & Products		Microsoft Microsoft dynamics Crm Service Portal Web Resource
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38166
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C'}`

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2024-08-06T21:38:18.586Z

Updated: 2025-07-10T16:33:49.377Z

Reserved: 2024-06-11T22:36:08.212Z

Link: CVE-2024-38166

Vulnrichment

Updated: 2024-08-07T17:53:11.455Z

NVD

Status : Modified

Published: 2024-08-06T22:15:54.163

Modified: 2024-08-14T00:15:07.687

Link: CVE-2024-38166

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38166", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2024-06-11T22:36:08.212Z", "datePublished": "2024-08-06T21:38:18.586Z", "dateUpdated": "2025-07-10T16:33:49.377Z"}, "containers": {"cna": {"title": "Microsoft Dynamics 365 Cross-site Scripting Vulnerability", "datePublic": "2024-08-06T07:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:dynamics_crm_service_portal_web_resource:*:*:*:*:*:*:*:*", "versionStartIncluding": "N/A"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Dynamics CRM Service Portal Web Resource", "platforms": ["Unknown"], "versions": [{"version": "N/A", "status": "affected"}]}], "descriptions": [{"value": "An unauthenticated attacker can exploit improper neutralization of input during web page generation in Microsoft Dynamics 365 to spoof over a network by tricking a user to click on a link.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en-US", "type": "CWE", "cweId": "CWE-79"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2025-07-10T16:33:49.377Z"}, "references": [{"name": "Microsoft Dynamics 365 Cross-site Scripting Vulnerability", "tags": ["vendor-advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38166"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-07T17:52:59.098953Z", "id": "CVE-2024-38166", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-07T17:53:21.156Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38166", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-07T17:52:59.098953Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-07T17:53:11.455Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Microsoft Dynamics 365 Cross-site Scripting Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Dynamics CRM Service Portal Web Resource", "versions": [{"status": "affected", "version": "N/A"}], "platforms": ["Unknown"]}], "datePublic": "2024-08-06T07:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38166", "name": "Microsoft Dynamics 365 Cross-site Scripting Vulnerability", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": "An unauthenticated attacker can exploit improper neutralization of input during web page generation in Microsoft Dynamics 365 to spoof over a network by tricking a user to click on a link."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:dynamics_crm_service_portal_web_resource:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "N/A"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2025-07-10T16:33:49.377Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38166", "state": "PUBLISHED", "dateUpdated": "2025-07-10T16:33:49.377Z", "dateReserved": "2024-06-11T22:36:08.212Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2024-08-06T21:38:18.586Z", "assignerShortName": "microsoft"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:dynamics_crm_service_portal_web_resource:-:*:*:*:*:*:*:*", "matchCriteriaId": "8C6F0036-1B3D-4C05-9D82-05C107F5578C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "An unauthenticated attacker can exploit improper neutralization of input during web page generation in Microsoft Dynamics 365 to spoof over a network by tricking a user to click on a link."}, {"lang": "es", "value": "Un atacante no autenticado puede aprovechar la neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de una p\u00e1gina web en Microsoft Dynamics 365 para falsificar una red enga\u00f1ando a un usuario para que haga clic en un enlace."}], "id": "CVE-2024-38166", "lastModified": "2024-08-14T00:15:07.687", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "secure@microsoft.com", "type": "Secondary"}]}, "published": "2024-08-06T22:15:54.163", "references": [{"source": "secure@microsoft.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38166"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "secure@microsoft.com", "type": "Primary"}]}