4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
5 Medium
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
17.5%
Versions of Sage 300 through 2022 implement role-based access controls that are only enforced client-side. Low-privileged Sage users, particularly those on a workstation setup in the βWindows Peer-to-Peer Networkβ or βClient Server Networkβ Sage 300 configurations, could recover the SQL connection strings being used by Sage 300 and interact directly with the underlying database(s) to create, update, and delete all company records, bypassing the programβs role-based access controls.
CPE | Name | Operator | Version |
---|---|---|---|
sage:sage_300 | sage sage 300 | le | 2022 |
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
5 Medium
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
17.5%