Xjcrazy09

Name of the Vulnerable Software and Affected Versions: Sage X3 System (affected versions not specified) Description: The issue allows an authenticated user with developer access to inject OS commands via the `CHAINE` variable used by the web application. It is noted that this developer configuration should not be deployed in production. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Sage X3 versions prior to 9 with Syracuse 9.22.7.2 Sage X3 HR & Payroll versions prior to 9 with Syracuse 9.24.1.3 Sage X3 versions prior to 11 with Syracuse 11.25.2.6 Sage X3 versions prior to 12 with Syracuse 12.10.2.8 Description: A specially crafted packet can elicit a response from the AdxDSrv.exe component that reveals the installation directory of the product. This issue can be combined with another vulnerability to achieve full remote code execution (RCE). Recommendations: For Sage X3 versions prior to 9 with Syracuse 9.22.7.2, update to AdxAdmin 93.2.53 or later. For Sage X3 HR & Payroll versions prior to 9 with Syracuse 9.24.1.3, update to AdxAdmin 93.2.53 or later. For Sage X3 versions prior to 11 with Syracuse 11.25.2.6, update to AdxAdmin 93.2.53 or later. For Sage X3 versions prior to 12 with Syracuse 12.10.2.8, update to AdxAdmin 93.2.53 or later.

**Name of the Vulnerable Software and Affected Versions** Akkadian Provisioning Manager Engine (PME) versions prior to 5.0.2 Akkadian OVA appliance versions prior to 3.0 Akkadian Appliance Manager versions prior to 3.3.0.314-4a349e0 **Description** The issue concerns a hard-coded credential, with the username `akkadianuser` and password `haakkadianpassword`. This poses a significant security risk as it could allow unauthorized access. **Recommendations** For Akkadian Provisioning Manager Engine (PME) versions prior to 5.0.2, update to version 5.0.2 or later. For Akkadian OVA appliance versions prior to 3.0, update to version 3.0 or later. For Akkadian Appliance Manager versions prior to 3.3.0.314-4a349e0, update to version 3.3.0.314-4a349e0 or later.

**Name of the Vulnerable Software and Affected Versions** Akkadian Provisioning Manager Engine (PME) versions prior to 5.0.2 Akkadian OVA appliance versions prior to 3.0 Akkadian Appliance Manager versions prior to 3.3.0.314-4a349e0 **Description** The restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be escaped by abusing the 'Edit MySQL Configuration' command, which launches a standard vi editor interface that can then be escaped. **Recommendations** For Akkadian Provisioning Manager Engine (PME) versions prior to 5.0.2, update to version 5.0.2 or later. For Akkadian OVA appliance versions prior to 3.0, update to version 3.0 or later. For Akkadian Appliance Manager versions prior to 3.3.0.314-4a349e0, update to version 3.3.0.314-4a349e0 or later.

**Name of the Vulnerable Software and Affected Versions** Akkadian Provisioning Manager Engine versions prior to 5.0.2 Akkadian OVA appliance versions prior to 3.0 Akkadian Appliance Manager versions prior to 3.3.0.314-4a349e0 **Description** The issue allows an attacker to bypass the restricted shell provided by Akkadian Provisioning Manager Engine by switching the OpenSSH channel from `shell` to `exec` and providing a single execution parameter. This could potentially allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For Akkadian Provisioning Manager Engine versions prior to 5.0.2, update to version 5.0.2 or later. For Akkadian OVA appliance versions prior to 3.0, update to version 3.0 or later. For Akkadian Appliance Manager versions prior to 3.3.0.314-4a349e0, update to version 3.3.0.314-4a349e0 or later.