Information security company High-Tech Bridge has uncovered a “self-XSS” vulnerability in Microsoft’s Dynamics CRM, which allows remote hackers to trick a logged-in authentic user into inserting malicious HTML and script code into the “newUsers_ledit” input field on vulnerable websites that are considered secure.
Microsoft itself does not recognise the self-XSS issues found in its Dynamics CRM, which is used by the US government, as a vulnerability, but Ilia Kolocheno, CEO of High-Tech Bridge and Chief Architect of ImmuniWeb, comments:
“Taking into consideration that same vulnerabilities were actively and successfully exploited by hackers in 2014, this XSS vulnerability is pretty serious, despite the “low” category we assigned due to this being a relatively complex exploitation. I think that Microsoft’s decision not to patch the vulnerability is wrong as, regardless of their general policy, they should think about their customers’ security first and foremost.
Such vulnerabilities could potentially be ignored in the past, but not in 2015, especially in such popular and sensitive products as Dynamics CRM.”
Click here to view a video showing exactly how High-Tech Bridge exploited this vulnerability upon discovery: