Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability. Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. A user could be tricked into entering credentials or responding to a pop up after opening a specially crafted file or clicking on a link, typically by way of an enticement in an email or URL.