PT-2021-12649 · Sage · Syracuse+3
Aaron Herndon
+7
·
Published
2021-07-08
·
Updated
2021-08-09
·
CVE-2020-7387
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
Sage X3 versions prior to 9 with Syracuse 9.22.7.2
Sage X3 HR & Payroll versions prior to 9 with Syracuse 9.24.1.3
Sage X3 versions prior to 11 with Syracuse 11.25.2.6
Sage X3 versions prior to 12 with Syracuse 12.10.2.8
Description:
A specially crafted packet can elicit a response from the AdxDSrv.exe component that reveals the installation directory of the product. This issue can be combined with another vulnerability to achieve full remote code execution (RCE).
Recommendations:
For Sage X3 versions prior to 9 with Syracuse 9.22.7.2, update to AdxAdmin 93.2.53 or later.
For Sage X3 HR & Payroll versions prior to 9 with Syracuse 9.24.1.3, update to AdxAdmin 93.2.53 or later.
For Sage X3 versions prior to 11 with Syracuse 11.25.2.6, update to AdxAdmin 93.2.53 or later.
For Sage X3 versions prior to 12 with Syracuse 12.10.2.8, update to AdxAdmin 93.2.53 or later.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Adxadmin
Adxdsrv.Exe
Sage X3
Syracuse