Vulnerability Details : CVE-2023-2809
Plaintext credential usage vulnerability in Sage 200 Spain 2023.38.001 version, the exploitation of which could allow a remote attacker to extract SQL database credentials from the DLL application. This vulnerability could be linked to known techniques to obtain remote execution of MS SQL commands and escalate privileges on Windows systems because the credentials are stored in plaintext.
Published
2023-10-04 11:15:10
Updated
2023-12-19 15:15:08
Products affected by CVE-2023-2809
- cpe:2.3:a:sage:sage_200_spain:2023.38.001:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-2809
0.34%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-2809
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
Spanish National Cybersecurity Institute, S.A. (INCIBE) | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2023-2809
-
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Assigned by:
- cve-coordination@incibe.es (Primary)
- nvd@nist.gov (Secondary)
-
The product contains hard-coded credentials, such as a password or cryptographic key.Assigned by: cve-coordination@incibe.es (Secondary)
References for CVE-2023-2809
-
https://www.incibe.es/en/incibe-cert/notices/aviso/use-cleartext-credentials-sage-200
Use Cleartext Credentials Sage 200 | INCIBE-CERT | INCIBEThird Party Advisory
Jump to