Security News > 2021 > July > Critical Flaws Reported in Sage X3 Enterprise Management Software
Four security vulnerabilities have been uncovered in the Sage X3 enterprise resource planning product, two of which could be chained together as part of an attack sequence to enable adversaries to execute malicious commands and take control of vulnerable systems.
The vendor has since rolled out fixes in recent releases for Sage X3 Version 9, Sage X3 HR & Payroll Version 9, Sage X3 Version 11, and Sage X3 Version 12 that were shipped in March.
The service in question is used for remote management of the Sage ERP solution through the Sage X3 Console.
Separately, the 'Edit' page associated with user profiles in the Sage X3 Syracuse web server component is vulnerable to a stored XSS attack, enabling the execution of arbitrary JavaScript code during 'mouseOver' events in the 'First name', 'Last name', and 'Email' fields.
Successful exploitation of CVE-2020-7387, on the other hand, results in the exposure of Sage X3 installation paths to an unauthorized user, while CVE-2020-7389 concerns a missing authentication in Syracuse development environments that could be used to gain code execution via command injection.
"Generally speaking, Sage X3 installations should not be exposed directly to the internet, and should instead be made available via a secure VPN connection where required," the researchers noted in the disclosure.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/-Nk5V6X3eC0/critical-flaws-reported-in-sage-x3.html
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-07-22 | CVE-2020-7389 | OS Command Injection vulnerability in Sage Syracuse Sage X3 System CHAINE Variable Script Command Injection. | 7.2 |
| 2021-07-22 | CVE-2020-7387 | Unspecified vulnerability in Sage Adxadmin Sage X3 Installation Pathname Disclosure. | 5.3 |