CVE-2019-19616

An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary files by specifying arbitrary values for the recId and filename parameters of the /Home/GetAttachment function.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
mitreCNA
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.0/AC:L/AV:N/A:N/C:L/I:N/PR:L/S:U/UI:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 44%
VendorProductVersion
xtiviaweb_time_and_expense
𝑥
< 2017
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.nolanbkennedy.com/post/insecure-direct-object-reference-idor-in-xtivia-web-time-and-expense-webte
http://www.nolanbkennedy.com/post/insecure-direct-object-reference-idor-in-xtivia-web-time-and-expense-webte