CVE-2023-29927

Name of the Vulnerable Software and Affected Versions Sage 300 versions through 2022

Description The issue arises from the client-side enforcement of role-based access controls in Sage 300. This allows low-privileged users, especially those in specific network configurations, to recover SQL connection strings and directly interact with the database. This interaction enables them to create, update, and delete company records, effectively bypassing the program's access controls.

Recommendations For Sage 300 versions through 2022, consider restricting direct database access to mitigate the risk of unauthorized data modification until a patch is available. As a temporary workaround, limit the use of SQL connection strings within the application to prevent low-privileged users from exploiting this issue.