Fixes have been issued by Microsoft to address four vulnerabilities affecting its products, including an actively exploited high-severity improper access control issue in its Partner Network website, tracked as CVE-2024-49035, The Hacker News reports.
While Microsoft has noted that leveraging the flaw — which was discovered by Microsoft employees Apoorv Wadhwa, Gautam Peri, and an anonymous researcher — could allow privilege escalation without authentication, additional details regarding its exploitation have not been provided. Microsoft also addressed a critical Copilot Studio cross-site scripting bug, tracked as CVE-2024-49038, and a high-severity Azure PolicyWatch missing authentication for a critical function flaw, tracked as CVE-2024-49052, both of which could be used to elevate network privileges, as well as a high-severity Microsoft Dynamics 365 Sales spoofing bug, tracked as CVE-2024-49053, which could facilitate lures to malicious websites. Further user action has not been required with the first three vulnerabilities but an immediate update for Dynamics 365 Sales apps for iOS and Android has been recommended.
