CVE-2023-31868

EPSS 0.09%
Published 22.06.2023 12:15:11
Last modified 21.11.2024 08:02:21
Source cve@mitre.org
Teams watchlist Login
Open Login

Sage X3 version 12.14.0.50-0 is vulnerable to Cross Site Scripting (XSS). Some parts of the Web application are dynamically built using user's inputs. Yet, those inputs are not verified nor filtered by the application, so they mathed the expected format. Therefore, when HTML/JavaScript code is injected into those fields, this code will be saved by the application and executed by the web browser of the user viewing the web page. Several injection points have been identified on the application. The major one requires the user to be authenticated with a common account, he can then target an Administrator. All others endpoints need the malicious user to be authenticated as an Administrator. Therefore, the impact is diminished.

Affected products Warnungen 0 Metrics 2 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Sage ≫ X3 Version12.14.0.50-0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.09%	0.272

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://sage.com

Product

https://github.com/Digitemis/Advisory/blob/main/CVE-2023-31868.txt

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-31868

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-31868

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-31868

EUVD