Microsoft on Tuesday announced patching potentially serious information disclosure and privilege escalation vulnerabilities in Power Platform and Dataverse, as well as the Imagine Cup website.
The tech giant has assigned a maximum severity rating of ‘critical’ to each of the flaws, but based on their CVSS scores they are all high-severity issues.
In Power Platform, a low-code platform designed for securing and managing apps, workflows and AI-powered tools, Microsoft fixed CVE-2024-38190, a missing authorization vulnerability that could have allowed an unauthenticated attacker to view sensitive information.
In Dataverse, a component of the Power Platform that lets users securely store and manage data used by business applications, the company addressed CVE-2024-38139, an improper authentication issue that could have been exploited by an authenticated attacker to elevate privileges.
In the website for Imagine Cup, a competition for student startup founders who use AI technologies, Microsoft patched CVE-2024-38204, an improper access control issue that could have been leveraged by an authenticated attacker to elevate privileges.
Because the issues have been fully mitigated server-side, users of the impacted services do not need to take any action. Microsoft has not found any evidence that they were exploited in the wild before they were patched, and details of the flaws have not been publicly disclosed.
Microsoft announced earlier this year that it has decided to assign CVE identifiers even to cloud service vulnerabilities that do not require any action from users, for transparency.
However, the tech giant’s Security Update Guide and APIs have been updated to allow users to filter out these types of flaws in case they don’t want to waste any time or energy on them.
Related: Iranian Cyberspies Exploiting Recent Windows Kernel Vulnerability
Related: Microsoft Confirms Exploited Zero-Day in Windows Management Console
Related: Microsoft Says Recent Windows Vulnerability Exploited as Zero-Day
