Submit #383225: Horizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-259: Use of Hard-coded Passwordinfo

TitleHorizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-259: Use of Hard-coded Password
DescriptionNOTE - This submit shall be embargoed until 14:00 CET on 2024-08-01 - NOTE CVE-2024-38885: An issue in Horizon Business Services Inc. Caterease Software allows a remote attacker to perform unauthorized access using known operating system credentials due to hardcoded SQL user credentials in the client application. Vulnerability Type: CWE-259: Use of Hard-coded Password Vendor of the Product: Horizon Business Services Inc. Affected Product: Caterease Software Affected Versions: 16.0.1.1663 through 24.0.1.2405 Attack Vector: Remote Attack Type: CAPEC-653: Use of Known Operating System Credentials Vulnerability Summary: Caterease Software contains hardcoded SQL user credentials within the client application. These credentials are embedded in the software and are identical across all instances of the application, making them a single point of failure. Attackers who gain access to the client application can easily extract these hardcoded credentials and use them to log in to any Caterease Software SQL database. The SQL user associated with these credentials is a member of the DBO group, granting it elevated privileges within the SQL server. This means that once attackers have the credentials, they can access and control the entire SQL server. They can read and exfiltrate sensitive data, modify or delete database records, and execute arbitrary SQL commands. This vulnerability severely impacts the confidentiality, integrity, and availability of the database. CVSS Base Score: High Risk - 8.8 CVSS v3.1 Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Exploitability Metrics Attack Vector (AV): Adjacent Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Unchanged Impact Metrics Confidentiality (C): High Integrity (I): High Availability (A): High
User
 jTag Labs (UID 51246)
Submission07/30/2024 16:55 (2 years ago)
Moderation08/01/2024 14:15 (2 days later)
StatusAccepted
VulDB entry273369 [Horizon Business Services Caterease up to 24.0.1.2405 SQL User hard-coded password]
Points17

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!