Rapid 7 finds four important vulnerabilities in Sage Business Cloud X3

Rapid7 released important details regarding four vulnerabilities found in SageX3. One has even been rated as critical. Sage has developed patches for three of the vulnerabilities which have been accessible since March.

What vulnerabilities did Rapid7 find?

Rapid7 disclosed details regarding the vulnerabilities found in Sage X3. One of them has been rated 10.0, which is critical.

These vulnerabilities were identified by Rapid7 back in December of last year. These were passed on to Sage in February, and they released updates the next month. Two months after that, Sage spoke to those customers who had yet to apply the patches. The four vulnerabilities have now been publicly disclosed and are CVE-2020-7390, 7387, 7388, and 7389. Here are more details on them individually:

CVE-2020-7390

Rated at 4.6, which is medium
CWE-79: Persistent Cross-Site Scripting (XXS) in Syracuse
The update is available, but it affects only v12, while the other issues also affect V11 and V9.

CVE-2020-7387

Rated at 5.3, which is medium
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in AdxAdminThe update is available

CVE-2020-7388

Rated at 10.0, which is highly critical
CWE-290: Unauthenticated Command Execution Bypass by Spoofing in AdxAdmin
The update is available

CVE-2020-7389

Rated at 5.5, which is medium
CWE-306: Missing Authentication for Critical Function in Developer Environment in Syracuse
No fix has been planned because this is not a production function but rather a development function

Sage’s Response

When asked how Sage will ensure their customers are applying the patch, VP Product, Rob Sinfield, responded by saying, “We have made best efforts to contact relevant Sage X3 on-premises customers (direct, or via our VAR partners) and advised them of this potential vulnerability and the advised fix, as well as proactively provided the patch through all customer-facing support channels.”

They also offer quarterly updates of relevant security patches. Their own software, as well as 3rd party components, are used to identify these needs. The Sage Representative also expressed that their customers also get regular recommendations for security best practices that they are encouraged to keep up with.

Stay tuned, subscribe!

Rapid 7 finds four important vulnerabilities in Sage Business Cloud X3

Tags in this article

Events - Techcalendar

Red Hat Summit

RSA Conference 2024

Knowledge 2024

Top Stories

ASML: from a leaky shed to the chip industry’s key player

Snowflake enters the LLM war with introduction of Arctic

Update: IBM confirms multi-billion acquisition of HashiCorp

Review: Kingston IronKey D500S – secure USB drive with strong armour

Bug bounty in practice: the final layer of security

Recent news

Microsoft and IBM open-source MS-DOS 4.00 from 1986

Dutch CERRIX targets European expansion with new investment

Bezos and Jassy accused of deleting chats during investigation

Atlassian founder Scott Farquhar to step down as CEO

Revenue from Microsoft and Google cloud services grows significantly

Lenovo and AMD join forces and introduce a series of ‘AI-proof’ servers