Vulnerable Software: Express Account
Affected Version: 8.24 and prior
Vendor Homepage: https://www.nchsoftware.com/
CVE: CVE-2020-13473
CVE Author: Tejas Nitin Pingulkar
Exploit Available: Yes
About Affected Software
Express Accounts is professional business accounting software, perfect for small businesses needing to document and report on incoming and outgoing cash flow, including sales, receipts, payments, and purchases.
Additional Information
Express Accounts has functionality that allows it to access it over the web. While configuring the web access function, the application asks for user details such as username, password, email, etc. Application stores this information in “C:\ProgramData\NCH Software\ExpressAccounts\WebAccounts” in cleartext format.
Exploit
A low-authenticated user can access files stored in cleartext format at C:\ProgramData\NCH Software\ExpressAccounts\WebAccounts and obtain username passwords.
Proof Of Concept