| CVE ID | CVE-2024-4995 |
| Publication date | 18 December 2024 |
| Vendor | Asseco Business Solutions S.A. |
| Product | Wapro ERP Desktop |
| Vulnerable versions | All before 9.00.0 |
| Vulnerability type (CWE) | Missing Encryption of Sensitive Data (CWE-311) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2024-4996 |
| Publication date | 18 December 2024 |
| Vendor | Asseco Business Solutions S.A. |
| Product | Wapro ERP Desktop |
| Vulnerable versions | All before 8.90.0 |
| Vulnerability type (CWE) | Use of Hard-coded Credentials (CWE-798) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in Wapro ERP Desktop software and participated in coordination of their disclosure.
The vulnerability CVE-2024-4995: Wapro ERP Desktop is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification. This issue affects Wapro ERP Desktop versions before 9.00.0.
The vulnerability CVE-2024-4996: Use of a hard-coded password for a database administrator account created during Wapro ERP installation allows an attacker to retrieve embedded sensitive data stored in the database. The password is same among all Wapro ERP installations. This issue affects Wapro ERP Desktop versions before 8.90.0.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.