Database Access Credentials Stored in Plain Text, Affecting ERP XL from 2020.2.2 to 2023.2.
CVE-2023-4538

6.5MEDIUM

Key Information:

Vendor: Comarch
Status: Erp Xl
Vendor: CVE Published:; 15 February 2024

What is CVE-2023-4538?

The database access credentials configured during installation are stored in a special table, and are encrypted with a shared key, same among all Comarch ERP XL client installations. This could allow an attacker with access to that table to retrieve plain text passwords.

This issue affects ERP XL: from 2020.2.2 through 2023.2.

Affected Version(s)

ERP XL 2020.2.2 <= 2023.2

References

https://cert.pl/en/posts/2024/02/CVE-2023-4537/

third-party-advisory

https://cert.pl/posts/2024/02/CVE-2023-4537/

third-party-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 15, 2024
Vulnerability Reserved
Aug 25, 2023

Credit

dr inż. Marcin Ochab