Robert Passlow

**Name of the Vulnerable Software and Affected Versions** JIWA Financials version 6.4.14 **Description** The issue allows remote authenticated users to execute certain standard stored procedures by referencing them in a user-written .rpt file. This is possible because JIWA Financials passes a Microsoft SQL Server account's `username` and `password`, and the name of a data source, to a Crystal Reports .rpt file. As a result, an attacker can use a stored procedure that provides the `username` and cleartext `password` of every account. **Recommendations** For JIWA Financials version 6.4.14, consider restricting access to the Crystal Reports .rpt file and limiting the execution of standard stored procedures to mitigate the risk of exploitation. Additionally, avoid using the `username` and `password` in the .rpt file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JIWA Financials version 6.4.14 **Description** The issue allows context-dependent attackers to potentially obtain passwords because JIWA Financials stores usernames and passwords in cleartext in the HR Staff table in Microsoft SQL Server. It also sends these credentials in cleartext to the application's SQL Server ODBC driver. **Recommendations** For JIWA Financials version 6.4.14, consider implementing encryption for storing and transmitting usernames and passwords to prevent them from being obtained in cleartext. As a temporary workaround, restrict access to the HR Staff table and the SQL Server ODBC driver to minimize the risk of exploitation.