CVE-2017-3183
Summary
| CVE | CVE-2017-3183 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-07-24 15:29:00 UTC |
| Updated | 2019-10-09 23:27:00 UTC |
| Description | Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions. Sage XRT Treasury is a business finance management application. Database user access privileges are determined by the USER_CODE field associated with the querying user. By modifying the USER_CODE value to match that of a privileged user, a low-privileged, authenticated user may gain privileged access to the SQL database. A remote, authenticated user can submit specially crafted SQL queries to gain privileged access to the application database. |
Risk And Classification
Problem Types: CWE-863
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Sage | Xrt Treasury | 3.0 | All | All | All |
| Application | Sage | Xrt Treasury | 3.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Sage XRT Treasury CVE-2017-3183 SQL Injection Vulnerability | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Vulnerability Note VU#742632 - Sage XRT Treasury database fails to properly restrict access to authorized users | CERT-VN | www.kb.cert.org | Third Party Advisory, US Government Resource |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Thanks to Victor Portal Gonzalez of Deloitte Spain for reporting this vulnerability.
There are currently no legacy QID mappings associated with this CVE.