cvedb.io
CVE-2018-14607
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2018-07-26T22:29:00.210 · Last modified 2026-06-17T01:41:16.520

Summary

Thomson Reuters UltraTax CS 2017 on Windows, in a client/server configuration, transfers customer records and bank account numbers in cleartext over SMBv2, which allows attackers to (1) obtain sensitive information by sniffing the network or (2) conduct man-in-the-middle (MITM) attacks via unspecified vectors. The customer record transferred in cleartext contains: Client ID, Full Name, Spouse's Full Name, Social Security Number, Spouse's Social Security Number, Occupation, Spouse's Occupation, Daytime Phone, Home Phone, Tax Preparer, Federal and State Taxes to File, Bank Name, Bank Account Number, and possibly other sensitive information.

Affected products

thomsonreuters — ultratax_cs_2017

Does this affect you?

Add your gear to cvedb and we'll alert you only when thomsonreuters ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.