CVE-2022-34322

Name of the Vulnerable Software and Affected Versions Sage Enterprise Intelligence version 2021 R1.1

Description Multiple XSS issues were discovered that allow an attacker to execute JavaScript code in the context of users' browsers. The attacker needs to be authenticated to reach the vulnerable features. An issue is present in the Notify Users About Modification menu and the Notifications feature, where a user can send malicious notifications and execute JavaScript code in the browser of every user who has enabled notifications. This is a stored XSS and can lead to privilege escalation in the context of the application. Another issue is present in the Favorites tab, where the name of a favorite or a folder of favorites is interpreted as HTML and can embed JavaScript code, which is executed when displayed, resulting in a self-XSS.

Recommendations For Sage Enterprise Intelligence version 2021 R1.1, consider disabling the Notifications feature and restricting access to the Favorites tab until a patch is available. As a temporary workaround, users should avoid using the Favorites tab and should be cautious when receiving notifications. Additionally, users should avoid sending malicious notifications to prevent executing JavaScript code in other users' browsers. At the moment, there is no information about a newer version that contains a fix for this vulnerability.