Vulnerable Software: Express Invoice
Affected Version: 7.25
Vendor Homepage: https://www.nchsoftware.com/
CVE: CVE-2020-11560
CVE Author: Tejas Nitin Pingulkar
Exploit Available: POC Available
About Affected Software
Express Invoice lets you create invoices you can print, email or fax directly to clients for faster payment. The reporting functionality allows you to keep track of payments, overdue accounts, sales team performance, and more.
Additional Information
Express Invoice has functionality that includes a web access feature. During configuration, the application prompts users to enter details such as username, password, email, etc. Application stores this information in “C:\ProgramData\NCH Software\ExpressInvoice\Accounts”
Note: from version 8.24 path changed to “C:\ProgramData\NCH Software\ExpressInvoice\WebAccounts”
Exploit
A low-privileged user with local access can navigate to the Accounts directory and retrieve stored usernames and passwords in cleartext format from C:\ProgramData\NCH Software\ExpressInvoice\Accounts and obtain username passwords.
Mitigation
Patch not available as of 19 April 2020
Recommended Workaround: Restrict access to the host server to prevent unauthorized users from accessing sensitive files
Proof Of Concept