Self-XSS in Microsoft Dynamics CRM 2013 SP1
|Product:||Microsoft Dynamics CRM 2013 SP1|
|Vulnerable Versions:||(220.127.116.11) (DB 18.104.22.168) and probably prior|
|Tested Version:||(22.214.171.124) (DB 126.96.36.199)|
|Advisory Publication:||December 29, 2014 [without technical details]|
|Vendor Notification:||December 29, 2014|
|Public Disclosure:||January 7, 2015|
|Latest Update:||January 6, 2015|
|Vulnerability Type:||Cross-Site Scripting [CWE-79]|
|CVSSv2 Base Score:||2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge Security Research Lab discovered a DOM-based self-XSS vulnerability in Microsoft Dynamics CRM 2013 SP1, which can be exploited to perform Cross-Site Scripting attacks against authenticated users.
|On the 31st of December 2014, Microsoft replied the following:|
"MSRC does not consider self-XSS issues to be security vulnerabilities. For a discussion of how we define security vulnerabilities, see http://www.microsoft.com/technet/archive/community/columns/security/essays/vulnrbl.mspx "
Taking into consideration the rise of successful self-XSS attacks campaigns in 2014 we do consider this issue to be a security vulnerability. As vendor refused to provide an official fix for the vulnerability, we suggest to block access to the vulnerable script using WAF or web server configuration as a temporary solution.
| High-Tech Bridge Advisory HTB23245 - https://www.immuniweb.com/advisory/HTB23245 - Self-XSS in Microsoft Dynamics CRM 2013 SP1.|
 Microsoft Dynamics CRM 2013 - http://www.microsoft.com/en-us/dynamics/crm.aspx - Microsoft Dynamics CRM is our customer relationship management (CRM) business solution that drives sales productivity and marketing effectiveness through social insights, business intelligence, and campaign management in the cloud, on-premises, or with a hybrid combination.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
 ImmuniWeb® - Leveraging the power of machine-learning and genius of human brain to deliver the most advanced web application security and penetration testing.
 ImmuniWeb® SSLScan - Test your servers for security and compliance with PCI DSS, HIPAA and NIST.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.