Posts

Showing posts from March, 2020

NCH Express CVE 2020-11561 Privilege Escalation

Image
CVE:  CVE-2020-11561 Title:  Privilege Escalation via Forceful Browsing About NCH express invoice software Express Invoice lets you create invoices you can print, email or fax directly to clients for faster payment. The reporting functionality allows you to keep track of payments, overdue accounts, sales team performance and more. Vulnerability:  NCH express invoice software allows to access it over the web.  A web interface provides 3 types of user Administrator  user viewer  The administrator user has access to all modules including "Add New Item" "Add New Customer". User with viewer privileges don't have access to "Add New Item" "Add New Customer" by forceful browsing, we will access admin modules using viewer user privileges  Impact:   An authenticated low privileged user can access modules which are accessible only to higher privileged user  POC:

NCH Express CVE-2020-11560 Clear Text Password Storage

Image
CVE: CVE-2020-11560 Title: Clear text password storage in NCH express invoice software About NCH express invoice software: Express Invoice lets you create invoices you can print, email or fax directly to clients for faster payment. The reporting functionality allows you to keep track of payments, overdue accounts, sales team performance and more. Vulnerability: Express Invoice has functionality that allows to access it over the web. While configuring web access function application ask for user details such as username, password, email, etc Application stores this information in "C:\ProgramData\NCH Software\ExpressInvoice\Accounts" folder in clear-text. Impact: An authenticated malicious user with access to the configuration file may obtain the exposed password to gain access to any user account POC