Sage 300 through 2022 uses a hard-coded 40-byte blowfish...
Critical severity
Unreviewed
Published
Apr 28, 2023
to the GitHub Advisory Database
•
Updated Apr 4, 2024
Description
Published by the National Vulnerability Database
Apr 28, 2023
Published to the GitHub Advisory Database
Apr 28, 2023
Last updated
Apr 4, 2024
Sage 300 through 2022 uses a hard-coded 40-byte blowfish key to encrypt and decrypt user passwords and SQL connection strings stored in ISAM database files in the shared data directory. This issue could allow attackers to decrypt user passwords and SQL connection strings.
References