Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

Sage 300 Security Vulnerabilities

cve
cve

CVE-2021-45492

In Sage 300 ERP (formerly accpac) through 6.8.x, the installer configures the C:\Sage\Sage300\Runtime directory to be the first entry in the system-wide PATH environment variable. However, this directory is writable by unprivileged users because the Sage installer fails to set explicit permissions ...

7.8CVSS

7.9AI Score

0.0005EPSS

2022-07-14 04:15 PM
42
8
cve
cve

CVE-2022-38583

On versions of Sage 300 2017 - 2022 (6.4.x - 6.9.x) which are setup in a "Windows Peer-to-Peer Network" or "Client Server Network" configuration, a low-privileged Sage 300 workstation user could abuse their access to the "SharedData" folder on the connected Sage 300 server to view and/or modify the...

7.8CVSS

7.8AI Score

0.0004EPSS

2023-04-28 01:15 PM
16
cve
cve

CVE-2022-41397

The optional Web Screens and Global Search features for Sage 300 through version 2022 use a hard-coded 40-byte blowfish key ("LandlordPassKey") to encrypt and decrypt secrets stored in configuration files and in database tables.

9.8CVSS

9.3AI Score

0.002EPSS

2023-04-28 01:15 PM
16
cve
cve

CVE-2022-41398

The optional Global Search feature for Sage 300 through version 2022 uses a set of hard-coded credentials for the accompanying Apache Solr instance. This issue could allow attackers to login to the Solr dashboard with admin privileges and access sensitive information.

7.5CVSS

7.5AI Score

0.001EPSS

2023-04-28 01:15 PM
18
cve
cve

CVE-2022-41399

The optional Web Screens feature for Sage 300 through version 2022 uses a hard-coded 40-byte blowfish key ("PASS_KEY") to encrypt and decrypt the database connection string for the PORTAL database found in the "dbconfig.xml". This issue could allow attackers to obtain access to the SQL database.

7.5CVSS

7.6AI Score

0.001EPSS

2023-04-28 01:15 PM
16
cve
cve

CVE-2022-41400

Sage 300 through 2022 uses a hard-coded 40-byte blowfish key to encrypt and decrypt user passwords and SQL connection strings stored in ISAM database files in the shared data directory. This issue could allow attackers to decrypt user passwords and SQL connection strings.

9.8CVSS

9.4AI Score

0.002EPSS

2023-04-28 01:15 PM
15
cve
cve

CVE-2023-29927

Versions of Sage 300 through 2022 implement role-based access controls that are only enforced client-side. Low-privileged Sage users, particularly those on a workstation setup in the "Windows Peer-to-Peer Network" or "Client Server Network" Sage 300 configurations, could recover the SQL connection ...

4.3CVSS

5AI Score

0.0005EPSS

2023-05-16 08:15 PM
16