Cross-site scripting vulnerability in Microsoft Dynamics NAV 2013 R2 Web client

A cross-site scripting vulnerability exists when Microsoft Dynamics NAV 2013 R2 doesn't properly sanitize specially crafted web requests on an affected Dynamics NAV Web client. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected Dynamics NAV Web client. See CVE-2018-8651 for more information.

This update is based on the latest Cumulative Update of Dynamics NAV 2013 R2 (CU 51, build 49751). Therefore, you must deploy that update before this one.

The update package contains the Dynamics NAV Web client, which should be deployed by copying the provided files into the Dynamics NAV Web Site folder.

You can get the update package through the Microsoft Download Center.

1. Download the update package. It contains a folder named "WEB CLIENT".
2. Locate the folder where you installed the Dynamics NAV Web client (usually, it is located within the C:\inetpub\wwwroot\<InstanceName>\WebClient folder)
   1. Open the Internet Information Services (IIS) Manager.
   2. Select Sites > Default Web Site > Microsoft Dynamics NAV 2013 R2 Web Client > DynamicsNAV71.
   3. Right-click the DynamicsNAV71 folder site and select Explore.
   4. Open the WebClient folder.
3. Stop the Internet Information Server that's running the Web client.
4. Copy the context of the WEB CLIENT folder that you downloaded in step 1 and paste it over the WebClient folder that you opened in step d of step 2.
5. Start the Internet Information Server again.
   
   The update package is deployed.

When you start the Dynamics NAV Web client, you receive a warning that states that the server and the client are not the same version. This is expected because a new version of the Dynamics NAV Web client. To prevent this warning from appearing for the Web client users, you can disable the warning in the server configure file. To do this, follow these steps:

1. Open the Microsoft Dynamics NAV 2013 R2 Administration (management console snap-in).
2. From the console root, locate and expand Microsoft Dynamics NAV > DynamicsNAV71 <Server Instance Name>.
3. The first setting under the general fast tab is called "build restriction," and its default setting is WarnClient. Set it to AlwaysConnect.
4. Select the Edit button, and then change the value.
5. Select the Save button, and then select OK when you are prompted, "The new settings value will not take effect until you stop and restart the service."
6. Restart the server as follows:
   1. Select Console root > Microsoft Dynamics NAV in the right site of the Management console.
   2. Select the Service (DynamicsNAV71) in the middle area of the console.
   3. When you select the right side of the console, an option to restart the server will be displayed. Select OK, and the server will be restarted.