CVE-2022-38583

Name of the Vulnerable Software and Affected Versions Sage 300 versions 6.4.x through 6.9.x

Description A low-privileged Sage 300 workstation user could abuse their access to the SharedData folder on the connected Sage 300 server to view and/or modify the credentials associated with Sage 300 users and SQL accounts to impersonate users and/or access the SQL database as a system administrator. With system administrator-level access to the Sage 300 MS SQL database, it would be possible to create, update, and delete all records associated with the program and, depending on the configuration, execute code on the underlying database server.

Recommendations For Sage 300 versions 6.4.x through 6.9.x, consider restricting access to the SharedData folder on the connected Sage 300 server to minimize the risk of exploitation. As a temporary workaround, limit the privileges of low-privileged Sage 300 workstation users to prevent them from accessing sensitive credentials. Ensure that the Sage 300 MS SQL database is properly configured to prevent unauthorized access and execution of code on the underlying database server. At the moment, there is no information about a newer version that contains a fix for this vulnerability.