CVE-2022-41400

CRITICAL

Sage 300 < 2022 - Use of Hard-coded Credentials for Password Encryption

Title source: llm

Description

Sage 300 through 2022 uses a hard-coded 40-byte blowfish key to encrypt and decrypt user passwords and SQL connection strings stored in ISAM database files in the shared data directory. This issue could allow attackers to decrypt user passwords and SQL connection strings.

References (1)

Core 1

Core References

Product

https://www.sage.com/en-ca/products/sage-300/

Scores

CVSS v3 9.8

EPSS 0.0062

EPSS Percentile 45.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-798

Status published

Products (1)

sage/sage_300 < 2022

Published Apr 28, 2023

Tracked Since Feb 18, 2026