Rapid7 released important details regarding four vulnerabilities found in SageX3. One has even been rated as critical. Sage has developed patches for three of the vulnerabilities which have been accessible since March.

What vulnerabilities did Rapid7 find?

Rapid7 disclosed details regarding the vulnerabilities found in Sage X3. One of them has been rated 10.0, which is critical.

These vulnerabilities were identified by Rapid7 back in December of last year. These were passed on to Sage in February, and they released updates the next month. Two months after that, Sage spoke to those customers who had yet to apply the patches. The four vulnerabilities have now been publicly disclosed and are CVE-2020-7390, 7387, 7388, and 7389. Here are more details on them individually:

CVE-2020-7390

  • Rated at 4.6, which is medium
  • CWE-79: Persistent Cross-Site Scripting (XXS) in Syracuse
  • The update is available, but it affects only v12, while the other issues also affect V11 and V9.

CVE-2020-7387

  • Rated at 5.3, which is medium
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in AdxAdminThe update is available

CVE-2020-7388

  • Rated at 10.0, which is highly critical
  • CWE-290: Unauthenticated Command Execution Bypass by Spoofing in AdxAdmin
  • The update is available

CVE-2020-7389

  • Rated at 5.5, which is medium
  • CWE-306: Missing Authentication for Critical Function in Developer Environment in Syracuse
  • No fix has been planned because this is not a production function but rather a development function

Sage’s Response

When asked how Sage will ensure their customers are applying the patch, VP Product, Rob Sinfield, responded by saying, “We have made best efforts to contact relevant Sage X3 on-premises customers (direct, or via our VAR partners) and advised them of this potential vulnerability and the advised fix, as well as proactively provided the patch through all customer-facing support channels.”

They also offer quarterly updates of relevant security patches. Their own software, as well as 3rd party components, are used to identify these needs. The Sage Representative also expressed that their customers also get regular recommendations for security best practices that they are encouraged to keep up with.