Hello Everyone, Product: MS Dynamic CRM 2016 Vendor: Microsoft Vulnerability type: Cross Site Scripting Vulnerable version: MS Dynamic CRM 2016 SP1 and previous Vulnerable component: SyncFilterPage.aspx Report confidence: Confirmed Solution status: Not fixed by Vendor, will not patch the vuln. Fixed versions: - Researcher credits: Gregory DRAPERI Vendor notification: 2017-05-30 Solution date: Public disclosure: 2016-07-01 Reference: https://remoteawesomethoughts.blogspot.com/2017/06/cross-site-scripting-vulnerability-in.html CVE reference: CVSSv3: 5.4 <https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N> Vulnerability Details: MS Dynamic CRM 2016 is CRM tool. So like all others Customer Relationship Management (CRM) applications are here to manage company's interaction with current and potential customers.There is a specific web-page accessible to define filters. This webpage is accessible without authentication so it is easy to check its existence. The vulnerability in located in the webpage "SyncFilterPage.aspx" that will interpret arbitrary JavaScript in case this link is submitted. The vulnerability might also be present on Microsoft Dynamic CRM in the cloud. It has not been possible to gather an account to verify. If someone can try or share with me an instance URL I would be more than happy. Risk: The malicious script can access any cookies without a HTTPOnly flag or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page to perform phishing attemps or perform actions on the behalf of the logged user. PoC: http://X.X.X.X/_controls/EditFilterControl/SyncFilterPage.aspx?requiredFields=toto%22;}alert(document.cookie);function%20test(){var%20a=%22test Timelines I tried to reach out Microsoft several times but after their first response seeming to say it was not a real vulnerability, I have not received any responses. 30/05/2017: First email to secure@xxxxxxxxxxxxx to disclose the vulnerability 30/05/2107: Answer from Microsoft asking for more details and pointing to a link defining what Microsoft thinks is a vulnerability (https://technet.microsoft.com/library/cc751383.aspx) 31/05/2017: Second email explaining why it is a vulnerability and giving more details 02/06/2017: Third attempt to check if they need more details 06/06/2017: Fourth attempt to check if they need more details 16/06/2017: Fifth attempt to check if they need more details and letting them know that it will be published in case they think it won't be fixed 28/06/2017: Last attempt to check if they need more details and letting them know that it will be published Best, Gregory -- Grégory Draperi