CVE-2021-36946 - OpenCVE

Microsoft Dynamics Business Central Cross-site Scripting Vulnerability

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Microsoft	Dynamics 365 Business Central Dynamics Nav

Configuration 1 [-]

OR	cpe:2.3:a:microsoft:dynamics_365_business_central:2019:spring_update::::::
	cpe:2.3:a:microsoft:dynamics_365_business_central:2020:release_wave_1::::::
	cpe:2.3:a:microsoft:dynamics_365_business_central:2020:release_wave_2::::::
	cpe:2.3:a:microsoft:dynamics_nav:2017:::::::*
	cpe:2.3:a:microsoft:dynamics_nav:2018:::::::*

References

Link	Resource
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36946	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: microsoft

Published: 2021-08-12T18:12:34

Updated: 2023-12-28T19:54:01.481Z

Reserved: 2021-07-19T00:00:00

Link: CVE-2021-36946

JSON object: View

NVD Information

Status : Modified

Published: 2021-08-12T18:15:10.110

Modified: 2023-12-28T20:15:53.573

Link: CVE-2021-36946

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"title": "Microsoft Dynamics Business Central Cross-site Scripting Vulnerability", "datePublic": "2021-08-10T07:00:00+00:00", "affected": [{"vendor": "Microsoft", "product": "Microsoft Dynamics NAV 2017", "cpes": ["cpe:2.3:a:microsoft:dynamics_nav:2017:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "1.0", "lessThan": "30601", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Dynamics NAV 2018", "cpes": ["cpe:2.3:a:microsoft:dynamics_nav:2018:*:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "1.0", "lessThan": "47562", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Dynamics 365 Business Central Spring 2019 Update", "cpes": ["cpe:2.3:a:microsoft:dynamics_365_business_central:2019:spring_update:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "14.0.0", "lessThan": "Application Build 14.27.47563, Platform Build 14.0", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Dynamics 365 Business Central 2020 Release Wave 2 - Update 17.9", "cpes": ["cpe:2.3:a:microsoft:dynamics_365_business_central:2020:release_wave_2:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "17.0", "lessThan": "Application Build 17.9.28504, Platform Build 17.0.", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Dynamics 365 Business Central 2020 Release Wave 1 - Update 16.15", "cpes": ["cpe:2.3:a:microsoft:dynamics_365_business_central:2020:release_wave_1:*:*:*:*:*:*"], "platforms": ["Unknown"], "versions": [{"version": "16.0", "lessThan": "Application Build 16.15.28500, Platform Build 16.0", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Microsoft Dynamics Business Central Cross-site Scripting Vulnerability", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "Spoofing", "lang": "en-US", "type": "Impact"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2023-12-28T19:54:01.481Z"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36946"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C"}}]}}, "cveMetadata": {"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "assignerShortName": "microsoft", "cveId": "CVE-2021-36946", "datePublished": "2021-08-12T18:12:34", "dateReserved": "2021-07-19T00:00:00", "dateUpdated": "2023-12-28T19:54:01.481Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:dynamics_365_business_central:2019:spring_update:*:*:*:*:*:*", "matchCriteriaId": "344834A1-6BC8-41F1-A225-6051FAE857A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:dynamics_365_business_central:2020:release_wave_1:*:*:*:*:*:*", "matchCriteriaId": "F51A2D68-9B05-4565-8677-82761652876F", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:dynamics_365_business_central:2020:release_wave_2:*:*:*:*:*:*", "matchCriteriaId": "BBA207FC-8ADA-4DA9-BCE5-5ABB51B1C2C8", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:dynamics_nav:2017:*:*:*:*:*:*:*", "matchCriteriaId": "6C147B08-82DF-4051-ACA4-B1ACEDB15FC3", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:dynamics_nav:2018:*:*:*:*:*:*:*", "matchCriteriaId": "FA8EA7FF-BEE3-47A5-B711-83191CBFCE40", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Microsoft Dynamics Business Central Cross-site Scripting Vulnerability"}, {"lang": "es", "value": "Una Vulnerabilidad de tipo Cross-site Scripting en Microsoft Dynamics Business Central"}], "id": "CVE-2021-36946", "lastModified": "2023-12-28T20:15:53.573", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "secure@microsoft.com", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Secondary"}]}, "published": "2021-08-12T18:15:10.110", "references": [{"source": "secure@microsoft.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36946"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}