CVE-2018-11338

Name of the Vulnerable Software and Affected Versions Intuit Lacerte version 2017 Intuit Lacerte versions prior to 2017

Description The software transfers the entire customer list in cleartext over SMB, allowing attackers to obtain sensitive information by sniffing the network or conduct man-in-the-middle (MITM) attacks. The customer list contains sensitive information such as full name, social security number, address, job title, phone number, email address, and other sensitive details. After the client software authenticates to the server database, the server sends the customer list, exposing all sensitive data without needing further exploitation.

Recommendations For Intuit Lacerte version 2017, consider implementing encryption for data transferred over SMB to protect sensitive customer information. For Intuit Lacerte versions prior to 2017, apply the same encryption measures as for version 2017 to mitigate the risk of sensitive data exposure. As a temporary workaround, consider restricting access to the customer list until a more secure data transfer method is implemented.