Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability. The user would have to click on a specially crafted URL to be compromised by the attacker. The vulnerability is in the web server, but the malicious scripts execute in the victim's browser on their machine. Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. The attacker is only able to modify the content of the vulnerable link to redirect the victim to a malicious site.