2022

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

LOW

Availability impact

NONE

network

low complexity

sage

NVD

Published: 2023-05-16

Updated: 2023-05-25

Summary

Versions of Sage 300 through 2022 implement role-based access controls that are only enforced client-side. Low-privileged Sage users, particularly those on a workstation setup in the "Windows Peer-to-Peer Network" or "Client Server Network" Sage 300 configurations, could recover the SQL connection strings being used by Sage 300 and interact directly with the underlying database(s) to create, update, and delete all company records, bypassing the program’s role-based access controls.

Vulnerable Configurations

Part	Description	Count
Application	Sage Sage Sage 300 2020 Sage Sage 300 2021 Sage Sage 300 2022	18

References

https://www.controlgap.com/blog/critical-vulnerability-disclosure-sage-300