CVE-2020-7389

Sage X3 System CHAINE Variable Script Command Injection. An authenticated user with developer access can pass OS commands via this variable used by the web application. Note, this developer configuration should not be deployed in production.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:sage:syracuse:*:*:*:*:*:*:*:*
cpe:2.3:a:sage:x3:9.0:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:a:sage:syracuse:*:*:*:*:*:*:*:*
cpe:2.3:a:sage:x3:11.0:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:a:sage:syracuse:*:*:*:*:*:*:*:*
cpe:2.3:a:sage:x3:12.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-07-22 19:15

Updated : 2024-02-28 18:28


NVD link : CVE-2020-7389

Mitre link : CVE-2020-7389

CVE.ORG link : CVE-2020-7389


JSON object : View

Products Affected

sage

  • x3
  • syracuse
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-306

Missing Authentication for Critical Function