CVE-2020-7389

Sage X3 System CHAINE Variable Script Command Injection. An authenticated user with developer access can pass OS commands via this variable used by the web application. Note, this developer configuration should not be deployed in production.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:sage:syracuse:*:*:*:*:*:*:*:*
cpe:2.3:a:sage:x3:9.0:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:a:sage:syracuse:*:*:*:*:*:*:*:*
cpe:2.3:a:sage:x3:11.0:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:a:sage:syracuse:*:*:*:*:*:*:*:*
cpe:2.3:a:sage:x3:12.0:*:*:*:*:*:*:*

History

21 Nov 2024, 05:37

Type Values Removed Values Added
CVSS v2 : 9.0
v3 : 7.2
v2 : 9.0
v3 : 5.5
References () https://rapid7.com/blog/post/2021/07/07/sage-x3-multiple-vulnerabilities-fixed - Broken Link () https://rapid7.com/blog/post/2021/07/07/sage-x3-multiple-vulnerabilities-fixed - Broken Link

Information

Published : 2021-07-22 19:15

Updated : 2024-11-21 05:37


NVD link : CVE-2020-7389

Mitre link : CVE-2020-7389

CVE.ORG link : CVE-2020-7389


JSON object : View

Products Affected

sage

  • x3
  • syracuse
CWE
CWE-306

Missing Authentication for Critical Function

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')