CVE-2023-4538 MEDIUM

CVE-2023-4538: Shared Key in Comarch ERP XL

Vendor Comarch
Product ERP XL
Weakness CWE-522 · Insufficiently protected credentials
Published February 15, 2024
Last update August 29, 2024

CVSS base score

6.2/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The database access credentials configured during installation are stored in a special table, and are encrypted with a shared key, same among all Comarch ERP XL client installations. This could allow an attacker with access to that table to retrieve plain text passwords. This issue affects ERP XL: from 2020.2.2 through 2023.2.

Key dates

02Disclosure timeline

February 15, 2024 CVE published
August 29, 2024 Record updated