CVE-2006-2718

Name of the Vulnerable Software and Affected Versions JIWA Financials version 6.4.14

Description The issue allows remote authenticated users to execute certain standard stored procedures by referencing them in a user-written .rpt file. This is possible because JIWA Financials passes a Microsoft SQL Server account's username and password, and the name of a data source, to a Crystal Reports .rpt file. As a result, an attacker can use a stored procedure that provides the username and cleartext password of every account.

Recommendations For JIWA Financials version 6.4.14, consider restricting access to the Crystal Reports .rpt file and limiting the execution of standard stored procedures to mitigate the risk of exploitation. Additionally, avoid using the username and password in the .rpt file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.