CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
90.2%
This article applies to Microsoft Dynamics 365 Business Central (on-premises deployments) for all countries and all language locales.
An information disclosure vulnerability exists if Microsoft Dynamics Business Central/NAV on-premises does not correctly hide the value of a masked field when it displays the records as a chart page. To learn more about the vulnerability, go to CVE-2020-1018.This update also addresses a vulnerability that is related to the NAVRecordState state. To learn more about the vulnerability, go to CVE-2020-1022.
When you upgrade on-premises deployments to this update, you and your customers must use a new license that covers more scenarios than the one for the original release in October 2018.
**Why this new license?**In cumulative update 1 (CU1), we enabled new licensing scenarios so that Business Central is optimized for licenses that have named users. This was not fully supported in the RTM version that was made available on October 1, 2018. Therefore, CU1 requires a new license. You can pull new licenses when you upgrade customers to CU1.The new licenses are required for CU1 and later versions of Business Central. They are not backwards compatible with earlier versions of Business Central.What has changed? In CU1, Business Central supports the product line IDs 49, 74, 75, and 76 for named users. For more information, see Microsoft Dynamics 365 Business Central Pricing and Licensing.This cumulative update includes all hotfixes and regulatory features that have been released for Microsoft Dynamics 365 Business Central, including hotfixes and regulatory features that were released in previous cumulative updates. This cumulative update replaces previously released cumulative updates. You should always install the latest cumulative update. It may be necessary to update your license after you install this hotfix to gain access to new objects that are included in this or a previous cumulative update. (This applies only to customer licenses.)
For a list of cumulative updates that were released for Microsoft Dynamics 365 Business Central, see released cumulative updates for Microsoft Dynamics 365 Business Central. Cumulative updates are intended for new and existing customers who are running Microsoft Dynamics Released Cumulative Updates for Microsoft Dynamics 365 Business Central.
Important We recommend that you contact your Microsoft Dynamics Partner before you install hotfixes or updates. It is important to verify that your environment is compatible with the hotfixes or updates that will be installed. A hotfix or update may cause interoperability issues with customizations and third-party products that work together with your Microsoft Dynamics 365 Business Central solution.Problems that are resolved in this cumulative update The following problems are resolved in this cumulative update:Platform hotfixesID | Title |
---|---|
349587 | The Pending status will not be documented. |
346825 | The Show as Chart action displays masked fields in plain text. |
348819 | Web client sessions are in a suspended state when the server is under a heavy load. |
Application hotfixesID | Title |
— | — |
343159 | The Suggest Vendor Payments batch job does not increment number series values correctly. |
349127 | When you use the Create Payment function, the payment journal line is created with an incorrect document type. |
343788 | When running the Cal. and Post VAT Settlement report, the Gen. Posting Type field is not set to Settlement for general ledger entries for reverse charge VAT. |
344402 | The top 10 list is not sorted as expected when the Balance (LCY) field is used for the Show parameter. |
344606 | Allocated costs are assigned to a blocked cost center. |
345322 | You can post unbalanced G/L entries by using a reversing recurring journal although the Force Doc. Balance check box is chosen. |
345489 | The Currency Code field can be blank when you use the Rapid Start function to import Currency codes. |
346505 | The caption and tooltip of the Allow G/L Acc. Deletion Before field in the General Ledger Setup page do not provide enough information. |
349599 | The Original Pmt. Disc. Possible and the Remaining Pmt. Disc. Possible amounts are incorrect in vendor ledger entries. |
348571 | You cannot sort on the Start Date and End Date fields in production orders after upgrading to cumulative update 24. |
345667 | The filter for the Company Name field on the Contacts list page does not display the correct result. |
347310 | The Sales Cycle Description field is not displayed when you update an opportunity. |
343173 | The posting number is used when the check total error is displayed. |
347080 | The Ship-to field on purchase quotes contains the customer address instead of the custom address. |
342790 | In a prepayment scenario, sales line comments are not displayed for the prepayment invoice if the Compress Prepayment field is set to true. |
342965 | The company email address is not printed correctly in the Customer Receipt Payment report. |
348236 | The tooltip for the Freight G/L Acc. No. field is not specific. |
344611 | Changing the values in the Lot and Serial No. fields in an inventory pick does not update the item ledger entry and tracking specification when posted. |
Local application hotfixes****AT - AustriaID | Title |
— | — |
343186 | An error message displays when you run the VAT Statement report in the Austrian version. |
**BE -**Belgium****ID | Title |
— | — |
343110 | If you create a vendor payment by using the EB Payment Journal, the Message to Recipient and Exported to Payment File fields are blank in the vendor ledger entry in the Belgian version. |
349330 | The dimension filter for the Suggest Vendor Payments action in the EB Payment Journal does not work in the Belgian version. |
CH - SwitzerlandID | Title |
— | — |
344744 | The Sales Page report does not consider the quote variant in the total amount in the Swiss version. |
CZ - CzechID | Title |
— | — |
349532 | Change FA Subclass code on the Fixed Asset card in fixed assets with more depreciation books in the Czech version. |
346235 | “Transaction type must have a value” error message displays when you post a sales shipment for an item of type Service in the Czech version. |
349616 | Call of stock in the VIES report in the Czech version. |
ES - SpainID | Title |
— | — |
347884 | Posting VAT entries from the G/L journal does not check whether there is a customer or a vendor in the transaction in the Spanish version. |
FR - FranceID | Title |
— | — |
344739 | Service Level <SvcLvl> and Service Level Code <Cd> are missing in the SEPA vendor payment file in the French version. |
344471 | “The value can’t be evaluated into type Integer” error message displays when you run the Export G/L Entries - Tax Audit report and the Registration No. field is blank in the company information in the French version. |
IT - ItalyID | Title |
— | — |
348156 | The advanced amount in the Periodic VAT Settlement table is not inserted correctly in the Calc. and Post VAT Settlement report in the Italian version. |
347070 | Withholding tax is not updated after you post the payment because the withholding tax is zero in the Italian version. |
347633 | The Reason field is not available in the Vendor Bill Withholding Tax table in the Italian version. |
MX - MexicoID | Title |
— | — |
342714 | "Error: The length of the string is ## but it must be less than or equal to 30. " error message displays in the sales order statistics when a Tax Area code description has more than 30 characters in the Mexican version. |
NA - North AmericaID | Title |
— | — |
342714 | "Error: The length of the string is ## but it must be less than or equal to 30. " error message displays in the sales order statistics when a Tax Area code description has more than 30 characters in the North American version. |
NL - NetherlandsID | Title |
— | — |
344884 | There is a check for the Entry/Exit Point table when creating an Intrastat file, although this information is not mandatory in the Dutch version. |
344651 | The audit file for the tax authority in the report allows only 15 characters in the Document No. field, although Business Central can handle more characters and the file format allows up to 999 characters in the Dutch version. |
NO - NorwayID | Title |
— | — |
348391 | Not all G/L accounts export to the SAF-T file in the Norwegian version. |
350283 | The tax information in the SAF-T file is missing for purchase documents in the Norwegian version. |
349471 | Incorrect or missing data in exports to the SAF-T file in the Norwegian version. |
**Local regulatory featuresBE -**BelgiumID | Title |
— | — |
349375 | The PEPPOL implementation is fixed according to partner feedback in the Belgian version. |
IT - ItalyID | Title |
— | — |
345382 | A new value of Non-Taxable Income Type is added to the withholding tax in the Italian version. |
** ****NO - Norway**ID | Title |
— | — |
349375 | The PEPPOL implementation is fixed according to partner feedback in the Norwegian version. |
UK - United KingdomID | Title |
— | — |
349647 | Make headers update for the Tax Digital FP in the British version. |
How to obtain the Microsoft Dynamics 365 Business Central update filesThis update is available for manual download and installation from the Microsoft Download Center.Cumulative Update 18 for Microsoft Dynamics 365 Business Central on-premisesWhich hotfix package to download
This cumulative update has multiple hotfix packages. Select and download one of the following packages depending on the country version of your Microsoft Dynamics 365 Business Central database.Country | Hotfix package |
---|---|
AT - Austria | Download the CU 18 Dynamics 365 Business Central AT package |
AU - Australia | Download the CU 18 Dynamics 365 Business Central AU package |
BE - Belgium | Download the CU 18 Dynamics 365 Business Central BE package |
CH - Switzerland | Download the CU 18 Dynamics 365 Business Central CH package |
CZ- Czech | Download the CU 18 Dynamics 365 Business Central CZ package |
DE - Germany | Download the CU 18 Dynamics 365 Business Central DE package |
DK - Denmark | Download the CU 18 Dynamics 365 Business Central DK package |
ES - Spain | Download the CU 18 Dynamics 365 Business Central ES package |
FI - Finland | Download the CU 18 Dynamics 365 Business Central FI package |
FR - France | Download the CU 18 Dynamics 365 Business Central FR package |
IS - Iceland | Download the CU 18 Dynamics 365 Business Central IS package |
IT - Italy | Download the CU 18 Dynamics 365 Business Central IT package |
NA - North America | Download the CU 18 Dynamics 365 Business Central NA package |
NL - Netherlands | Download the CU 18 Dynamics 365 Business Central NL package |
NO - Norway | Download the CU 18 Dynamics 365 Business Central NO package |
NZ - New Zealand | Download the CU 18 Dynamics 365 Business Central NZ package |
RU - Russia | Download the CU 18 Dynamics 365 Business Central RU package |
SE - Sweden | Download the CU 18 Dynamics 365 Business Central SE package |
UK - United Kingdom | Download the CU 18 Dynamics 365 Business Central UK package |
All other countries | Download the CU 18 Dynamics 365 Business Central W1 package |
How to install a Microsoft Dynamics 365 Business Central cumulative updateSee How to install a Microsoft Dynamics 365 Business Central cumulative update.PrerequistesYou must have Microsoft Dynamics 365 Business Central installed to apply this hotfix. |
See more information about software update terminology and Microsoft Dynamics 365 Business Central.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the “Applies to” section.
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
90.2%