Vulnerabilities > Sage > High

DATE CVE VULNERABILITY TITLE RISK
2023-06-22 CVE-2023-31867 Improper Neutralization of Formula Elements in a CSV File vulnerability in Sage X3 12.14.0.500
Sage X3 version 12.14.0.50-0 is vulnerable to CSV Injection.
network
low complexity
sage CWE-1236
7.2
2023-04-28 CVE-2022-38583 Incorrect Default Permissions vulnerability in Sage 300
On versions of Sage 300 2017 - 2022 (6.4.x - 6.9.x) which are setup in a "Windows Peer-to-Peer Network" or "Client Server Network" configuration, a low-privileged Sage 300 workstation user could abuse their access to the "SharedData" folder on the connected Sage 300 server to view and/or modify the credentials associated with Sage 300 users and SQL accounts to impersonate users and/or access the SQL database as a system administrator.
local
low complexity
sage CWE-276
7.8
2023-04-28 CVE-2022-41398 Use of Hard-coded Credentials vulnerability in Sage 300
The optional Global Search feature for Sage 300 through version 2022 uses a set of hard-coded credentials for the accompanying Apache Solr instance.
network
low complexity
sage CWE-798
7.5
2023-04-28 CVE-2022-41399 Use of Hard-coded Credentials vulnerability in Sage 300
The optional Web Screens feature for Sage 300 through version 2022 uses a hard-coded 40-byte blowfish key ("PASS_KEY") to encrypt and decrypt the database connection string for the PORTAL database found in the "dbconfig.xml".
network
low complexity
sage CWE-798
7.5
2023-01-27 CVE-2019-25053 Path Traversal vulnerability in Sage FRP 1000
A path traversal vulnerability exists in Sage FRP 1000 before November 2019.
network
low complexity
sage CWE-22
7.5
2023-01-01 CVE-2022-34324 SQL Injection vulnerability in Sage XRT Business Exchange 12.4.302
Multiple SQL injections in Sage XRT Business Exchange 12.4.302 allow an authenticated attacker to inject malicious data in SQL queries: Add Currencies, Payment Order, and Transfer History.
network
low complexity
sage CWE-89
8.8
2022-07-14 CVE-2021-45492 Incorrect Permission Assignment for Critical Resource vulnerability in Sage 300
In Sage 300 ERP (formerly accpac) through 6.8.x, the installer configures the C:\Sage\Sage300\Runtime directory to be the first entry in the system-wide PATH environment variable.
local
low complexity
sage CWE-732
7.8
2021-07-22 CVE-2020-7389 OS Command Injection vulnerability in Sage Syracuse
Sage X3 System CHAINE Variable Script Command Injection.
network
low complexity
sage CWE-78
7.2
2018-07-24 CVE-2017-3183 Incorrect Authorization vulnerability in Sage XRT Treasury 3.0
Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions.
network
low complexity
sage CWE-863
8.8