Vulnerable Software: Express Invoice
Affected Version: 7.25
Vendor Homepage: https://www.nchsoftware.com/
CVE Author: Tejas Nitin Pingulkar
Exploit Available: POC Available
About Affected Software
Express Invoice lets you create invoices you can print, email or fax directly to clients for faster payment. The reporting functionality allows you to keep track of payments, overdue accounts, sales team performance, and more.
Express Invoice has functionality that allows to access it over the web. While configuring web access function, application asks for user details such as username, password, email, etc. Application stores this information in “C:\ProgramData\NCH Software\ExpressInvoice\Accounts”
Note: from version 8.24 path changed to “C:\ProgramData\NCH Software\ExpressInvoice\WebAccounts”
A low-authenticated user can access files stored in cleartext format in C:\ProgramData\NCH Software\ExpressInvoice\Accounts and obtain username passwords.
Patch not available as of 19 April 2020
Possible solution: to restrict access to the host server.
Proof Of Concept