CVE-2020-13473: NCH Account-Clear Text Password Storage

 Vulnerable Software: Express Account

Affected Version: 8.24 and prior

Vendor Homepage: https://www.nchsoftware.com/

CVE: CVE-2020-13473

CVE Author: Tejas Nitin Pingulkar

Exploit Available: Yes

About Affected Software


Express Accounts is professional business accounting software, perfect for small businesses needing to document and report on incoming and outgoing cash flow including sales, receipts, payments and purchases.

Additional Information


Express Accounts has functionality that allows to access it over the web. While configuring web access function application asks for user details such as username, password, email, etc. Application stores this information in “C:\ProgramData\NCH Software\ExpressAccounts\WebAccounts”

Exploit


Low authenticated user can access files stored in cleartext format in C:\ProgramData\NCH Software\ExpressAccounts\WebAccounts and obtain username passwords

Proof Of Concept

Comments

Popular posts from this blog

CVE-2020-13474: NCH Express Accounts- Privilege Escalation

CVE-2020-23446 Verint Workforce Optimization (WFO)

CVE-2020-13475: NCH accounts-Cross Site Scripting