CVE-2020-11560: NCH Express Invoice-Clear Text Password Storage

Vulnerable Software: Express Invoice

Affected Version: 7.25

Vendor Homepage:

CVE: CVE-2020-11560

CVE Author: Tejas Nitin Pingulkar

Exploit Avilable: POC Avilable

About Affected Software

Express Invoice lets you create invoices you can print, email or fax directly to clients for faster payment. The reporting functionality allows you to keep track of payments, overdue accounts, sales team performance and more.

Additional Information

Express Invoice has functionality that allows to access it over the web. While configuring web access function application ask for user details such as username, password, email, etc. Application stores this information in “C:\ProgramData\NCH Software\ExpressInvoice\Accounts”

Note: from version 8.24 path changed to “C:\ProgramData\NCH Software\ExpressInvoice\WebAccounts”


Low authenticated user can access files stored in cleartext format in C:\ProgramData\NCH Software\ExpressInvoice\Accounts and obtain username passwords

Proof Of Concept


Patch not available as of 19 Aptil 2020

Possibal solution: to restrict access to host server. 


Scroll to top