#Microsoft Dynamics

**How could an attacker exploit this vulnerability?** An authenticated user could run a specially crafted trusted solution package to execute arbitrary SQL commands. From there the attacker could escalate and execute commands as db\_owner within their Dynamics 356 database.

**How could an attacker exploit this vulnerability?** An authenticated user could run a specially crafted trusted solution package to execute arbitrary SQL commands. From there the attacker could escalate and execute commands as db\_owner within their Dynamics 356 database.

**Are the updates for the Microsoft Dynamics 365 (on-premises) versions listed in this vulnerability currently available?** The security update for Microsoft Dynamics 365 (on-premises) version 8.2 and Microsoft Dynamics 365 (on-premises) version 9.1 are not immediately available. The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information.

**What is the attack vector for this vulnerability?** An attacker can write to any file where the webserver user (nt authority\\network service) has write access.

*The CVSS Score says user action is required. What type of user action is required?* A user would have to open a maliciously crafted email sent to Dynamics 365 Customer Engagement.