PT-2023-21549 · Sage · Sage 200 Spain
Juan González
·
Published
2023-10-04
·
Updated
2023-12-19
·
CVE-2023-2809
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Sage 200 Spain version 2023.38.001
Description
The issue is related to plaintext credential usage, which could allow a remote attacker to extract SQL database credentials from the DLL application. This could be linked to known techniques to obtain remote execution of MS SQL commands and escalate privileges on Windows systems because the credentials are stored in plaintext.
Recommendations
For Sage 200 Spain version 2023.38.001, consider updating to a newer version that addresses the plaintext credential usage vulnerability to prevent remote attackers from extracting SQL database credentials. As a temporary workaround, restrict access to the DLL application to minimize the risk of exploitation.
Fix
Cleartext Storage of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sage 200 Spain