Microsoft Dynamics security vulnerability - when is a security issue not a security issue... when we tell you it isn't?



A "DOM-based self-XSS vulnerability" for Microsoft Dynamics CRM 2013 SP1 was recently discovered by IT security firm High-Tech Bridge. If exploited, it could be used for cross-site scripting (XSS) attacks against authenticated Dynamics CRM users.

"We do not consider this a security vulnerability as it requires the use of social engineering to convince an authenticated user to enter some specific malicious code – in this instance putting it into a field on the Dynamics CRM application. We recommend that our customers always exercise caution when accepting content from untrusted sources. Additional protection guidance can be found at: www.microsoft.com/protect.” 

http://msdynamicsworld.com/story/new-dynamics-crm-2013-sp1-security-vulnerability-sparking-all-hands-deck-response-microsoft