PT-2021-12652 · Sage · Sage X3
Published
2021-07-09
·
Updated
2021-08-02
·
CVE-2020-7390
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
Sage X3 versions prior to Version 12 (components shipped with Syracuse 12.10.0 and later)
Description:
The issue allows an authenticated user to inject XSS strings into the
First Name, Last Name, and Email Address fields on the 'Edit' page of the User Profile component. This can lead to stored XSS attacks. Updates are available for on-premises versions of Sage X3.Recommendations:
For versions prior to Version 12, update to Version 12 (components shipped with Syracuse 12.10.0 and later) to resolve the issue. As a temporary workaround, consider restricting access to the 'Edit' page of the User Profile component until the update is applied. Avoid using the
First Name, Last Name, and Email Address fields in the affected component until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sage X3