Three significant security vulnerabilities in Microsoft’s Dynamics 365 and Power Apps Web API have been identified and patched as of May 2024. The flaws, discovered by Stratus Security, could have potentially exposed sensitive user data.
Two vulnerabilities were found in Power Platform’s OData Web API Filter:
1. A lack of access control allowed unauthorized access to the contacts table, exposing sensitive information including personal details, financial data, and password hashes. Attackers could perform boolean-based searches to extract complete password hashes character by character.
2. The orderby clause could be exploited to obtain data from specific database table columns, such as primary email addresses.
The third vulnerability affected the FetchXML API:
– Attackers could bypass access controls by crafting orderby queries on any column when accessing the contacts table, providing additional flexibility in the attack method.
These vulnerabilities could have enabled malicious actors to compile lists of password hashes and emails for potential cracking or sale on dark markets. Microsoft has since addressed these security issues through patches, highlighting the importance of continuous cybersecurity monitoring in large-scale data management systems.