← Back

CVE-2020-7389

nvd nist
Published: Jul 22, 2021Modified: Nov 21, 2024

JSON object

Loading...
7.2
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Exploitability: 1.2 / Impact: 5.9
Source: NVD

Description

Sage X3 System CHAINE Variable Script Command Injection. An authenticated user with developer access can pass OS commands via this variable used by the web application. Note, this developer configuration should not be deployed in production.

Affected (3)

Products: Sage: Syracuse
Sage
1 product
Syracuse
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Syracuse
From 9.0 to 9.22.7.2
Running on/withPlatform Versions
Sage
X3
Version 9.0
Configuration B
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Syracuse
From 11.0 to 11.25.2.6
Running on/withPlatform Versions
Sage
X3
Version 11.0
Configuration C
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Syracuse
From 12.0 to 12.10.2.8
Running on/withPlatform Versions
Sage
X3
Version 12.0

Related CWEs

CWE-306
Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (3)

Source: cve@rapid7.com
Broken Link
Source: nvd@nist.gov
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Broken Link

Timeline

No history available yet.