Lucene search

[email protected]CVE-2023-31868

HistoryJun 22, 2023 - 12:15 p.m.

CVE-2023-31868

2023-06-2212:15:11

CWE-79

[email protected]

web.nvd.nist.gov

sage x3

version 12.14.0.50-0

cross site scripting

xss

injection points

authentication

administrator

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

5.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.6%

JSON

Sage X3 version 12.14.0.50-0 is vulnerable to Cross Site Scripting (XSS). Some parts of the Web application are dynamically built using user’s inputs. Yet, those inputs are not verified nor filtered by the application, so they mathed the expected format. Therefore, when HTML/JavaScript code is injected into those fields, this code will be saved by the application and executed by the web browser of the user viewing the web page. Several injection points have been identified on the application. The major one requires the user to be authenticated with a common account, he can then target an Administrator. All others endpoints need the malicious user to be authenticated as an Administrator. Therefore, the impact is diminished.

Affected configurations

NVD

Node

sagex3Match12.14.0.50-0

CPENameOperatorVersion
sage:x3sage x3eq12.14.0.50-0

CPE	Name	Operator	Version
sage:x3	sage x3	eq	12.14.0.50-0

References

sage.com

github.com/Digitemis/Advisory/blob/main/CVE-2023-31868.txt