NCH Express CVE-2020-11560 Clear Text Password Storage
CVE: CVE-2020-11560
Title: Clear text password storage in NCH express invoice software
About NCH express invoice software:
Express Invoice lets you create invoices you can print, email or fax directly to clients for faster payment. The reporting functionality allows you to keep track of payments, overdue accounts, sales team performance and more.
Vulnerability: Express Invoice has functionality that allows to access it over the web.
While configuring web access function application ask for user details such as username, password, email, etc
Application stores this information in "C:\ProgramData\NCH Software\ExpressInvoice\Accounts" folder in clear-text.
Impact: An authenticated malicious user with access to the configuration file may obtain the exposed password to gain access to any user account
POC
Title: Clear text password storage in NCH express invoice software
About NCH express invoice software:
Express Invoice lets you create invoices you can print, email or fax directly to clients for faster payment. The reporting functionality allows you to keep track of payments, overdue accounts, sales team performance and more.
Vulnerability: Express Invoice has functionality that allows to access it over the web.
While configuring web access function application ask for user details such as username, password, email, etc
Application stores this information in "C:\ProgramData\NCH Software\ExpressInvoice\Accounts" folder in clear-text.
Impact: An authenticated malicious user with access to the configuration file may obtain the exposed password to gain access to any user account
POC
Comments
Post a Comment