Microsoft Dynamics
CVE-2020-1018 — Microsoft Dynamics Business Central/NAV Information Disclosure
Executive Summary
An information disclosure vulnerability exists when Microsoft Dynamics Business Central/NAV on-premise does not properly hide the value of a masked field when showing the records as a chart page. The attacker who successfully exploited the vulnerability could see the information that are in a masked field. The security update addresses the vulnerability by updating the rendering engine the Windows client to properly detect masked fields and render the content as masked.
Overview
7.5
CVSS HIGH
Important
MS Severity
Not Exploited
MS Exploit Status
Less Likely
MS Exploit Likelihood
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ATTACK VECTOR
Network
ATTACK COMPLEXITY
Low
PRIVILEGES REQUIRED
None
USER INTERACTION
None
SCOPE
Unchanged
EPSS Score
0.06158
probability of exploitation in the next 30 days
0.92558 percentile - updated 2026-06-21
View on FIRST.org
Affected Products
6 affected products
| Product | KB Article | Severity | Impact | Restart Required |
|---|---|---|---|---|
| Dynamics 365 Business Central 2019 Spring Update | 4549677 (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft Dynamics 365 BC On Premise | 4549676 (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft Dynamics NAV 2015 | 4557700 (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft Dynamics NAV 2016 | 4549673 (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft Dynamics NAV 2017 | 4549674 (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft Dynamics NAV 2018 | 4549675 (Security Update) |
Important | Information Disclosure | Maybe |
Patches
6 patches
| Article | Type | Restart |
|---|---|---|
4549677 |
Security Update | Maybe |
4549676 |
Security Update | Maybe |
4557700 |
Security Update | Maybe |
4549673 |
Security Update | Maybe |
4549674 |
Security Update | Maybe |
4549675 |
Security Update | Maybe |
Known Exploits
No known exploits have been linked for this CVE yet. When available, exploit references will be sourced from public repositories and may be unverified, incomplete, or non-functional. Always review code carefully before use in any environment.
Acknowledgments
None
References
On This Page