Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability. Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. A user could be tricked into entering credentials or responding to a pop up after opening a specially crafted file or clicking on a link, typically by way of an enticement in an email or URL. The user would need to click on a specially crafted URL that could present a popup box requesting additional user input. Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker. The user would need to access the URL of the malicious website, which could spoof the content of a legitimate website, and then click a popup displayed on that site.