Microsoft has patched four security vulnerabilities affecting various services, with one actively exploited in attacks. The most critical issue is CVE-2024-49035, a privilege escalation flaw in partner.microsoft.com that allows unauthenticated attackers to elevate privileges.
The other patched vulnerabilities include:
- CVE-2024-49038 (CVSS score: 9.3) – A cross-site scripting (XSS) vulnerability in Copilot Studio that could allow an unauthorized attacker to escalate privileges over a network
- CVE-2024-49052 (CVSS score: 8.2) – A missing authentication for a critical function vulnerability in Microsoft Azure PolicyWatch that could allow an unauthorized attacker to escalate privileges over a network
- CVE-2024-49053 (CVSS score: 7.6) – A spoofing vulnerability in Microsoft Dynamics 365 Sales that could allow an authenticated attacker to trick a user into clicking on a specially crafted URL and potentially redirect the victim to a malicious site
Most fixes are being deployed automatically through Microsoft Power Apps updates. However, Dynamics 365 Sales users need to update their mobile apps to version 3.24104.15 to protect against the spoofing vulnerability.
While Microsoft acknowledged the researchers who reported CVE-2024-49035, they haven’t provided details about its exploitation in the wild.