CVE-2023-31868

Name of the Vulnerable Software and Affected Versions Sage X3 version 12.14.0.50-0

Description The issue is related to Cross Site Scripting (XSS) in the Sage X3 Web application. Some parts of the application are dynamically built using user inputs, but these inputs are not verified or filtered, allowing them to match the expected format. As a result, when HTML/JavaScript code is injected into these fields, it will be saved by the application and executed by the user's web browser. Several injection points have been identified, with the major one requiring a user to be authenticated with a common account to target an Administrator. Other endpoints require the malicious user to be authenticated as an Administrator, diminishing the impact.

Recommendations For Sage X3 version 12.14.0.50-0, consider disabling the dynamic building of Web application parts using user inputs until a patch is available. Restrict access to the identified injection points to minimize the risk of exploitation. Additionally, ensure that all user inputs are properly verified and filtered to prevent code injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.