CVE-2020-7389

Summary

Sage X3 System CHAINE Variable Script Command Injection. An authenticated user with developer access can pass OS commands via this variable used by the web application. Note, this developer configuration should not be deployed in production.

Affected Software

VendorProductVersion RangeStatus
SageX3V9 < Syracuse 9.22.7.2affected
SageX3V11 < Syracuse 11.25.2.6affected
SageX3V12 < Syracuse 12.10.2.8affected

Weaknesses

  • CWE-306: CWE-306 Missing Authentication for Critical Function

ADP Enrichment

CVE Program Container

Additional References

References