CVE-2022-41399

Name of the Vulnerable Software and Affected Versions Sage 300 versions through 2022

Description The optional Web Screens feature uses a hard-coded 40-byte blowfish key (PASS KEY) to encrypt and decrypt the database connection string for the PORTAL database found in the "dbconfig.xml". This issue could allow attackers to obtain access to the SQL database.

Recommendations For Sage 300 versions through 2022, consider disabling the Web Screens feature until a patch is available to prevent potential access to the SQL database. Restrict access to the "dbconfig.xml" file to minimize the risk of exploitation. Avoid using the hard-coded PASS KEY in the database connection string until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.