Researchers at Rapid7, a cybersecurity firm, have reportedly uncovered several vulnerabilities that lie in the Sage X3 enterprise resource planning product. According to the firm, the flaws can be exploited remotely without authentication for a complete remote takeover. Of the four vulnerabilities reported by the researchers, one has been classified as critical in nature while the rest are of medium severity. The most serious flaw, CVE-2020-7388, is described as an unauthenticated remote command execution issue. Researchers reported that the vulnerability is related to a remote administration service and can be exploited by an attacker who uses specifically crafted requests to execute commands with elevated privileges.
This flaw must be exploited while leveraging one of the other medium severity vulnerabilities, according to Rapid7. One of the vulnerabilities pairs with the most critical, a flaw in the installation pathname disclosure. The two remaining security flaws have been described as authenticated OS command injection and persistent cross-site scripting issues. The security vulnerabilities were allegedly reported to the vendor in February and were patched in March. The vendor publicly disclosed the flaws in May.
Read More: Sage X3 Vulnerabilities Can Pose Serious Risk to Organizations