Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-7389

Sage X3 System CHAINE Variable Script Command Injection. An authenticated user with developer access can pass OS commands via this variable used by the web application. Note, this developer configuration should not be deployed in production.

Published

2021-07-22T19:15:08.517

Last Modified

2024-11-21T05:37:09.920

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

8.0

Impact Score

10.0

Weaknesses

Type: Secondary
CWE-306
Type: Primary
CWE-78

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	sage	syracuse	< 9.22.7.2	Yes
Application	sage	x3	9.0	No
Application	sage	syracuse	< 11.25.2.6	Yes
Application	sage	x3	11.0	No
Application	sage	syracuse	< 12.10.2.8	Yes
Application	sage	x3	12.0	No

References

https://rapid7.com/blog/post/2021/07/07/sage-x3-multiple-vulnerabilities-fixed Broken Link ([email protected])
https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/ Exploit, Third Party Advisory ([email protected])
https://rapid7.com/blog/post/2021/07/07/sage-x3-multiple-vulnerabilities-fixed Broken Link (af854a3a-2127-422b-91ae-364da2661108)