PT-2024-13242 · Comarch · Comarch Erp Xl

Marcin Ochab

Published

2024-02-15

Updated

2024-02-17

CVE-2023-4538

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Comarch ERP XL versions 2020.2.2 through 2023.2

Description The database access credentials configured during installation are stored in a special table and are encrypted with a shared key that is the same among all Comarch ERP XL client installations. This could allow an attacker with access to that table to retrieve plain text passwords.

Recommendations For versions 2020.2.2 through 2023.2, consider changing the database access credentials and the shared encryption key to prevent unauthorized access. As a temporary workaround, restrict access to the special table that stores the database access credentials to minimize the risk of exploitation.

Fix

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522

Related Identifiers

CVE-2023-4538

Affected Products

Comarch Erp Xl

PT-2024-13242 · Comarch · Comarch Erp Xl

CVE-2023-4538

Weakness Enumeration

Related Identifiers

Affected Products

References · 7