Three critical security vulnerabilities in Microsoft Dynamics 365 and Power Apps Web API, discovered by Stratus Security, were patched in May 2024. Two flaws stemmed from inadequate access control in Power Platform’s OData Web API Filter, exposing sensitive contact data, while the third resided in the FetchXML API, allowing attackers to bypass access controls through crafted queries. Exploiting these flaws, attackers could extract password hashes and emails, potentially compromising sensitive data. This incident highlights the importance of continuous cybersecurity vigilance, particularly for data-rich platforms like Microsoft’s.

‍