Hard-coded Blowfish Key Vulnerability in Sage 300 Web Screens

Hard-coded Blowfish Key Vulnerability in Sage 300 Web Screens

CVE-2022-41399 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

The optional Web Screens feature for Sage 300 through version 2022 uses a hard-coded 40-byte blowfish key ("PASS_KEY") to encrypt and decrypt the database connection string for the PORTAL database found in the "dbconfig.xml". This issue could allow attackers to obtain access to the SQL database.

Learn more about our Cis Benchmark Audit For Microsoft Sql Server.