CVE-2019-19616

Name of the Vulnerable Software and Affected Versions Microsoft Dynamics NAV versions prior to 2017

Description The issue is related to an Insecure Direct Object Reference (IDOR) vulnerability in the Web Time and Expense (WebTE) interface. This vulnerability can be exploited by a remote attacker to gain unauthorized access to arbitrary reports by specifying arbitrary values for the recId and filename parameters. The attacker can download arbitrary files using the /Home/GetAttachment function.

Recommendations For Microsoft Dynamics NAV versions prior to 2017, update to a version 2017 or later to resolve the issue. As a temporary workaround, consider restricting access to the /Home/GetAttachment function to minimize the risk of exploitation. Avoid using arbitrary values for the recId and filename parameters in the affected API endpoint until the issue is resolved.