Overview

This advisory addresses a Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary expense and requisition reports by specifying arbitrary values for the "recId" and "filename" parameters of the "/Home/GetAttachment" function.

This issue was reported to Xtivia in accordance with responsible disclosure guidelines. Xtivia responded that no patch will be released as the WebTE interface used for Microsoft Dynamics NAV versions prior to 2017 have been deprecated. See screenshot of vendor email response below:

Vulnerability Information

Definitions

CVE  Common Vulnerabilities and Exposures is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation. 

CVSS  Common Vulnerability Scoring System is a vendor agnostic, industry open standard designed to convey the severity of a vulnerability. CVSS scores may be used to determine the urgency for update deployment within an organization and can range from 0.0 (no vulnerability) to 10.0 (critical). Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics. 

Mitigations    Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices. 

Workarounds  Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack.  

Acknowledgements

This vulnerability was discovered and reported by Nolan B. Kennedy of MindPoint Group. (See email screenshot at top of page in Overview section).