sage

Top products

The 15 most recently published vulnerabilities affecting sage.

• CVE-2024-48648A Reflected Cross-Site Scripting (XSS) vulnerability exists in the Sage 1000 v 7.0.0. This vulnerability allows attackers to inject malicious scripts into URLs, which are reflected back by the serv...6.1Oct 30, 2024
• CVE-2024-48647A file disclosure vulnerability exists in Sage 1000 v7.0.0. This vulnerability allows remote attackers to retrieve arbitrary files from the server's file system by manipulating the URL parameter in...7.2Oct 30, 2024
• CVE-2024-48646An Unrestricted File Upload vulnerability exists in Sage 1000 v7.0.0, which allows authorized users to upload files without proper validation. An attacker could exploit this vulnerability by upload...8.1Oct 30, 2024
• CVE-2023-2809Use of Cleartext credentials in Sage 200 Spain7.8Oct 4, 2023
• CVE-2023-31868Sage X3 version 12.14.0.50-0 is vulnerable to Cross Site Scripting (XSS). Some parts of the Web application are dynamically built using user's inputs. Yet, those inputs are not verified nor filtere...5.4Jun 22, 2023
• CVE-2023-31867Sage X3 version 12.14.0.50-0 is vulnerable to CSV Injection.7.2Jun 22, 2023
• CVE-2023-29927Versions of Sage 300 through 2022 implement role-based access controls that are only enforced client-side. Low-privileged Sage users, particularly those on a workstation setup in the "Windows Peer-...4.3May 16, 2023
• CVE-2022-41399The optional Web Screens feature for Sage 300 through version 2022 uses a hard-coded 40-byte blowfish key ("PASS_KEY") to encrypt and decrypt the database connection string for the PORTAL database ...7.5Apr 28, 2023
• CVE-2022-41398The optional Global Search feature for Sage 300 through version 2022 uses a set of hard-coded credentials for the accompanying Apache Solr instance. This issue could allow attackers to login to the...7.5Apr 28, 2023
• CVE-2022-41397The optional Web Screens and Global Search features for Sage 300 through version 2022 use a hard-coded 40-byte blowfish key ("LandlordPassKey") to encrypt and decrypt secrets stored in configuratio...9.8Apr 28, 2023
• CVE-2022-41400Sage 300 through 2022 uses a hard-coded 40-byte blowfish key to encrypt and decrypt user passwords and SQL connection strings stored in ISAM database files in the shared data directory. This issue ...9.8Apr 28, 2023
• CVE-2022-38583On versions of Sage 300 2017 - 2022 (6.4.x - 6.9.x) which are setup in a "Windows Peer-to-Peer Network" or "Client Server Network" configuration, a low-privileged Sage 300 workstation user could ab...7.8Apr 28, 2023
• CVE-2019-25053A path traversal vulnerability exists in Sage FRP 1000 before November 2019. This allows remote unauthenticated attackers to access files outside of the web tree via a crafted URL.7.5Jan 27, 2023
• CVE-2022-34324Multiple SQL injections in Sage XRT Business Exchange 12.4.302 allow an authenticated attacker to inject malicious data in SQL queries: Add Currencies, Payment Order, and Transfer History.8.8Jan 1, 2023
• CVE-2022-34323Multiple XSS issues were discovered in Sage XRT Business Exchange 12.4.302 that allow an attacker to execute JavaScript code in the context of other users' browsers. The attacker needs to be authen...5.4Jan 1, 2023