VULHUB ™

Pastel Accounting is reported to store sensitive user and security information on the local system using a trivially reversible obfuscation method. This information is stored in the 'ACCUSER.DAT' file in each particular client folder. The information is encoded by rotating the characters in the original string. Malicious users with read access to this file may easily gain access to sensitive information. This will also permit malicious users with write access to the file to modify data, since the software does not verify the contents of this file any further. This issue was reported in Pastel Account version 6.0-6.12. Other versions may also be affected.

Pastel Accounting is reported to store sensitive user and security information on the local system using a trivially reversible obfuscation method. This information is stored in the 'ACCUSER.DAT' file in each particular client folder. The information is encoded by rotating the characters in the original string. Malicious users with read access to this file may easily gain access to sensitive information. This will also permit malicious users with write access to the file to modify data, since the software does not verify the contents of this file any further. This issue was reported in Pastel Account version 6.0-6.12. Other versions may also be affected.