| CVE ID | CVE-2024-8773 |
| Publication date | 24 March 2025 |
| Vendor | Simple SA |
| Product | SIMPLE.ERP |
| Vulnerable versions | From 6.20 to [email protected] |
| Vulnerability type (CWE) | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') (CWE-757) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2024-8774 |
| Publication date | 24 March 2025 |
| Vendor | Simple SA |
| Product | SIMPLE.ERP |
| Vulnerable versions | From 6.20 to [email protected] |
| Vulnerability type (CWE) | Storing Passwords in a Recoverable Format (CWE-257) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in SIMPLE.ERP software and participated in coordination of their disclosure.
The vulnerability CVE-2024-8773 allows MS SQL protocol downgrade request from a server side, which could lead to an unencrypted communication vulnerable to data interception and modification.
The vulnerability CVE-2024-8774: The SIMPLE.ERP client stores superuser password in a recoverable format, allowing any authenticated SIMPLE.ERP user to escalate privileges to a database administrator.
These issues affect SIMPLE.ERP from 6.20 through 6.30. Only the 6.30 version received a patch [email protected], which removes both vulnerabilities and make it possible for an administrator to enforce encrypted communication. Versions 6.20 and 6.25 remain unpatched.
Credits
We thank Marcin Ochab, PhD for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.