Description

Sage X3 Stored XSS Vulnerability on ‘Edit’ Page of User Profile. An authenticated user can pass XSS strings the "First Name," "Last Name," and "Email Address" fields of this web application component. Updates are available for on-premises versions of Version 12 (components shipped with Syracuse 12.10.0 and later) of Sage X3. Other on-premises versions of Sage X3 are unaffected or unsupported by the vendor.

Related CPE's

a

sage

syracuse

Vulnerable

a

sage

x3

12.0

References

https://rapid7.com/blog/post/2021/07/07/sage-x3-multiple-vulnerabilities-fixed

Broken Link

https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/

ExploitThird Party Advisory

https://www.sagecity.com/gb/sage-x3-uk/f/sage-x3-uk-announcements-news-and-alerts/147993/sage-x3-latest-patches

PatchVendor Advisory

Weaknesses

[email protected]

Primary
CWE-79

[email protected]

Secondary
CWE-79

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

5.4 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2021-07-22T19:15:08.577

3 years ago

Last modified

2023-11-07T03:26:06.190

1 year ago