Patched data exposing Microsoft Dynamics 365, Power Apps Web API bugs detailed

Three significant flaws in Microsoft Dynamics 365 and Power Apps Web API, which could be leveraged to facilitate data compromise, have been further detailed by Stratus Security researchers months after they were addressed by Microsoft, The Hacker News reports.

Power Platform's OData Web API Filter was impacted by two of the discovered security issues, the first of which stemmed from inadequate access control that enabled access to sensitive data and potential exploitation to obtain complete hashes while the other bug arose from orderby clause utilization in the same API to gather needed database information, according to researchers. Meanwhile, FetchXML API was impacted by the final vulnerability, which could be abused to establish an orderby query while evading access controls. "The discovery of vulnerabilities in the Dynamics 365 and Power Apps API underscores a critical reminder: cybersecurity requires constant vigilance, especially for large companies that hold so much data like Microsoft," said Stratus Security.