XSS Vulnerability in Microsoft Dynamics CRM 2013 SP1

There were reports of a Self-XSS vulnerability issue that affected Microsoft Dynamics CRM 2011 and 2013.

Our development team has addressed this problem in CRM 2013, which consisted in a wrong behaviour when the lookup auto-resolve of Biz/Users/AddUsers/SelectUsersPage.aspx hits an exception or when the app WebService call returns an error (500 in this case, instead of 200).

The code does not properly build the unresolved lookup item and instead injects the user’s entered text directly back into the lookup field without first encoding it. It has been demonstrated that this procedure can potentially be vulnerable to attacks, so our product team has redesigned it.

This issue is fixed in the latest rollup of CRM 2013 which is Update Rollup 2 for SP1 of which can be downloaded from here

For Dynamics CRM 2011 a fix is being worked on for release in a future Update Rollup, and if you wish to be kept up to date on it’s status please raise a support case with Dynamics CRM Support.

 

Note: The issue will only exist when the call performed by the page doesn’t succeed, which is a rare scenario, and when the user is suffering an external attack, which is a risk that must be evaluated by the network administrator of your company .

 

Best Regards

EMEA Dynamics CRM Support Team

Share this Blog Article on Twitter

Tweet

Follow Us on Twitter

Follow @MSDynCRMSupport