VU#706118: Workhorse Software Services, Inc. software prior to version 1.9.4.48019, default deployment is vulnerable to multiple issues.
Workhorse Software Services municipal accounting software, prior to version 1.9.4.48019, has critical design flaws. These flaws permit unauthorized access to sensitive municipal data and enable data exfiltration. A major vulnerability involves the plaintext storage of database connection information alongside the application executable. This allows individuals with read access to the directory to potentially recover SQL credentials if SQL authentication is used. Furthermore, the software features an unauthenticated database backup function accessible even from the login screen. This backup creates an unencrypted ZIP archive containing a .bak file that can be restored without a password. An attacker could exploit these vulnerabilities, for instance, by gaining physical access to a workstation or by using malware. The impact of such an attack could be the exfiltration of the entire database. This could expose sensitive personally identifiable information and comprehensive municipal financial records. Data tampering, undermining audit trails and compromising financial operations, is also a significant risk. The CERT/CC strongly recommends updating to version 1.9.4.48019 immediately. Additional mitigation strategies include restricting application directory access and enabling SQL Server encryption with Windows Authentication.