The optional Web Screens feature for Sage 300 through version 2022 uses a hard-coded 40-byte blowfish key ("PASS_KEY") to encrypt and decrypt the database connection string for the PORTAL database found in the "dbconfig.xml". This issue could allow malicious users to obtain access to the SQL database.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
sage sage 300 |