Information Disclosure in Microsoft Dynamics Business Central/NAV
CVE-2020-1018

7.5HIGH

Key Information:

Vendor: Microsoft
Status: Microsoft Dynamics Nav 2016; Microsoft Dynamics Nav 2017; Microsoft Dynamics Nav 2018; Microsoft Dynamics Nav 2015
Vendor: CVE Published:; 15 April 2020

Summary

An information disclosure vulnerability exists in Microsoft Dynamics Business Central/NAV on-premise where sensitive data in masked fields is inadequately hidden when displayed on chart pages. An attacker exploiting this flaw could gain unauthorized access to confidential information intended to be masked, posing significant risks to data integrity and privacy. The vulnerability has been addressed through a security update that enhances the rendering engine for the Windows client to ensure proper masking of sensitive fields.

Affected Version(s)

Dynamics 365 Business Central 2019 Spring Update = unspecified

Microsoft Dynamics 365 BC On Premise = unspecified

Microsoft Dynamics NAV 2015 = unspecified

References

https://portal.msrc.microsoft.com/en-US/security-guidance...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 15, 2020
Vulnerability Reserved
Nov 4, 2019