Vulnerabilities > Sage > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-22 | CVE-2023-31867 | Improper Neutralization of Formula Elements in a CSV File vulnerability in Sage X3 12.14.0.500 Sage X3 version 12.14.0.50-0 is vulnerable to CSV Injection. | 7.2 |
| 2023-04-28 | CVE-2022-38583 | Incorrect Default Permissions vulnerability in Sage 300 On versions of Sage 300 2017 - 2022 (6.4.x - 6.9.x) which are setup in a "Windows Peer-to-Peer Network" or "Client Server Network" configuration, a low-privileged Sage 300 workstation user could abuse their access to the "SharedData" folder on the connected Sage 300 server to view and/or modify the credentials associated with Sage 300 users and SQL accounts to impersonate users and/or access the SQL database as a system administrator. | 7.8 |
| 2023-04-28 | CVE-2022-41398 | Use of Hard-coded Credentials vulnerability in Sage 300 The optional Global Search feature for Sage 300 through version 2022 uses a set of hard-coded credentials for the accompanying Apache Solr instance. | 7.5 |
| 2023-04-28 | CVE-2022-41399 | Use of Hard-coded Credentials vulnerability in Sage 300 The optional Web Screens feature for Sage 300 through version 2022 uses a hard-coded 40-byte blowfish key ("PASS_KEY") to encrypt and decrypt the database connection string for the PORTAL database found in the "dbconfig.xml". | 7.5 |
| 2023-01-27 | CVE-2019-25053 | Path Traversal vulnerability in Sage FRP 1000 A path traversal vulnerability exists in Sage FRP 1000 before November 2019. | 7.5 |
| 2023-01-01 | CVE-2022-34324 | SQL Injection vulnerability in Sage XRT Business Exchange 12.4.302 Multiple SQL injections in Sage XRT Business Exchange 12.4.302 allow an authenticated attacker to inject malicious data in SQL queries: Add Currencies, Payment Order, and Transfer History. | 8.8 |
| 2022-07-14 | CVE-2021-45492 | Incorrect Permission Assignment for Critical Resource vulnerability in Sage 300 In Sage 300 ERP (formerly accpac) through 6.8.x, the installer configures the C:\Sage\Sage300\Runtime directory to be the first entry in the system-wide PATH environment variable. | 7.8 |
| 2021-07-22 | CVE-2020-7389 | OS Command Injection vulnerability in Sage Syracuse Sage X3 System CHAINE Variable Script Command Injection. | 7.2 |
| 2018-07-24 | CVE-2017-3183 | Incorrect Authorization vulnerability in Sage XRT Treasury 3.0 Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions. | 8.8 |