VYPR

Sage

by Sage

CVEs (35)

  • CVE-2022-41400Apr 28, 2023
    risk 0.00cvss epss 0.01

    Sage 300 through 2022 uses a hard-coded 40-byte blowfish key to encrypt and decrypt user passwords and SQL connection strings stored in ISAM database files in the shared data directory. This issue could allow attackers to decrypt user passwords and SQL connection strings.

  • CVE-2022-38583Apr 28, 2023
    risk 0.00cvss epss 0.00

    On versions of Sage 300 2017 - 2022 (6.4.x - 6.9.x) which are setup in a "Windows Peer-to-Peer Network" or "Client Server Network" configuration, a low-privileged Sage 300 workstation user could abuse their access to the "SharedData" folder on the connected Sage 300 server to…

  • CVE-2022-41399Apr 28, 2023
    risk 0.00cvss epss 0.01

    The optional Web Screens feature for Sage 300 through version 2022 uses a hard-coded 40-byte blowfish key ("PASS_KEY") to encrypt and decrypt the database connection string for the PORTAL database found in the "dbconfig.xml". This issue could allow attackers to obtain access to…

  • CVE-2022-41397Apr 28, 2023
    risk 0.00cvss epss 0.01

    The optional Web Screens and Global Search features for Sage 300 through version 2022 use a hard-coded 40-byte blowfish key ("LandlordPassKey") to encrypt and decrypt secrets stored in configuration files and in database tables.

  • CVE-2019-25053Jan 27, 2023
    risk 0.00cvss epss 0.01

    A path traversal vulnerability exists in Sage FRP 1000 before November 2019. This allows remote unauthenticated attackers to access files outside of the web tree via a crafted URL.

  • CVE-2022-34322Jan 1, 2023
    risk 0.00cvss epss 0.01

    Multiple XSS issues were discovered in Sage Enterprise Intelligence 2021 R1.1 that allow an attacker to execute JavaScript code in the context of users' browsers. The attacker needs to be authenticated to reach the vulnerable features. An issue is present in the Notify Users…

  • CVE-2022-34324Jan 1, 2023
    risk 0.00cvss epss 0.12

    Multiple SQL injections in Sage XRT Business Exchange 12.4.302 allow an authenticated attacker to inject malicious data in SQL queries: Add Currencies, Payment Order, and Transfer History.

  • CVE-2022-34323Jan 1, 2023
    risk 0.00cvss epss 0.00

    Multiple XSS issues were discovered in Sage XRT Business Exchange 12.4.302 that allow an attacker to execute JavaScript code in the context of other users' browsers. The attacker needs to be authenticated to reach the vulnerable features. An issue is present in the Filters and…

  • CVE-2021-45492Jul 14, 2022
    risk 0.00cvss epss 0.00

    In Sage 300 ERP (formerly accpac) through 6.8.x, the installer configures the C:\Sage\Sage300\Runtime directory to be the first entry in the system-wide PATH environment variable. However, this directory is writable by unprivileged users because the Sage installer fails to set…

  • CVE-2020-13893Oct 18, 2020
    risk 0.00cvss epss 0.01

    Multiple stored cross-site scripting (XSS) vulnerabilities in Sage EasyPay 10.7.5.10 allow authenticated attackers to inject arbitrary web script or HTML via multiple parameters through Unicode Transformations (Best-fit Mapping), as demonstrated by the full-width variants of the…

  • CVE-2020-26584Oct 16, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Sage DPW 2020_06_x before 2020_06_002. The search field "Kurs suchen" on the page Kurskatalog is vulnerable to Reflected XSS. If the attacker can lure a user into clicking a crafted link, he can execute arbitrary JavaScript code in the user's browser.…

  • CVE-2020-26583Oct 16, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Sage DPW 2020_06_x before 2020_06_002. It allows unauthenticated users to upload JavaScript (in a file) via the expenses claiming functionality. However, to view the file, authentication is required. By exploiting this vulnerability, an attacker can…

  • CVE-2011-3384Sep 8, 2011
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the Sage add-on 1.3.10 and earlier for Firefox allows remote attackers to inject arbitrary web script or HTML via a crafted feed, a different vulnerability than CVE-2009-4102.

  • CVE-2006-4712Sep 12, 2006
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in Sage 1.3.6 allow remote attackers to inject arbitrary web script or HTML via JavaScript in a content:encoded element within an item element in an RSS feed, as demonstrated by four example content:encoded elements that use…

  • CVE-2006-4711Sep 12, 2006
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Sage allow remote attackers to inject arbitrary web script or HTML via an Atom 1.0 feed, as demonstrated by certain test cases of the James M. Snell Atom 1.0 feed reader test suite.

Page 2 of 2