CVE-2020-13473: NCH Account-Clear Text Password Storage

Vulnerable Software: Express Account

Affected Version: 8.24 and prior

Vendor Homepage: https://www.nchsoftware.com/

CVE: CVE-2020-13473

CVE Author: Tejas Nitin Pingulkar

Exploit Available: Yes

About Affected Software


Express Accounts is professional business accounting software, perfect for small businesses needing to document and report on incoming and outgoing cash flow including sales, receipts, payments and purchases.

Additional Information


Express Accounts has functionality that allows to access it over the web. While configuring web access function application ask for user details such as username, password, email, etc. Application stores this information in “C:\ProgramData\NCH Software\ExpressAccounts\WebAccounts”

Exploit


Low authenticated user can access files stored in cleartext format in C:\ProgramData\NCH Software\ExpressAccounts\WebAccounts and obtain username passwords

Proof Of Concept

CVE-2020-13473: NCH Account-Clear Text Password Storage

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to top