CVE-2020-7389
MEDIUMSage Syracuse 9.0-9.22.7.2 - Authenticated OS Command Injection via CHAINE Variable
Title source: llmDescription
Sage X3 System CHAINE Variable Script Command Injection. An authenticated user with developer access can pass OS commands via this variable used by the web application. Note, this developer configuration should not be deployed in production.
References (2)
Core 2
Core References
Broken Link x_refsource_misc
https://rapid7.com/blog/post/2021/07/07/sage-x3-multiple-vulnerabilities-fixed
Exploit, Third Party Advisory
https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/
Scores
CVSS v3
5.5
EPSS
0.0207
EPSS Percentile
79.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Details
CWE
CWE-306
CWE-78
Status
published
Products (1)
sage/syracuse
9.0 - 9.22.7.2
Published
Jul 22, 2021
Tracked Since
Feb 18, 2026