Known Vulnerabilities for products from Sage

Listed below are 20 of the newest known vulnerabilities associated with the vendor "Sage".

These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.

Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.

Known Vulnerabilities

CVE Shortened Description Severity Publish Date Last Modified
CVE-2025-67807 json Not Provided 2026-04-01 2026-04-01
CVE-2025-67806 json Not Provided 2026-04-01 2026-04-01
CVE-2025-67805 json Not Provided 2026-04-01 2026-04-01
CVE-2024-52384 json Not Provided 2024-11-14 2026-04-01
CVE-2023-31868 json Sage X3 version 12.14.0.50-0 is vulnerable to Cross Site Scripting (XSS). Some parts of the Web application are dynamically b... 5.4 - MEDIUM 2023-06-22 2023-06-28
CVE-2023-31867 json Sage X3 version 12.14.0.50-0 is vulnerable to CSV Injection. 7.2 - HIGH 2023-06-22 2023-06-28
CVE-2023-29927 json Versions of Sage 300 through 2022 implement role-based access controls that are only enforced client-side. Low-privileged Sag... 4.3 - MEDIUM 2023-05-16 2023-05-25
CVE-2023-2809 json Plaintext credential usage vulnerability in Sage 200 Spain 2023.38.001 version, the exploitation of which could allow a remot... 9.8 - CRITICAL 2023-10-04 2023-12-19
CVE-2022-41400 json Sage 300 through 2022 uses a hard-coded 40-byte blowfish key to encrypt and decrypt user passwords and SQL connection strings... 9.8 - CRITICAL 2023-04-28 2023-05-05
CVE-2022-41399 json The optional Web Screens feature for Sage 300 through version 2022 uses a hard-coded 40-byte blowfish key ("PASS_KEY") to enc... 7.5 - HIGH 2023-04-28 2023-05-05
CVE-2022-41398 json The optional Global Search feature for Sage 300 through version 2022 uses a set of hard-coded credentials for the accompanyin... 7.5 - HIGH 2023-04-28 2023-05-05
CVE-2022-41397 json The optional Web Screens and Global Search features for Sage 300 through version 2022 use a hard-coded 40-byte blowfish key (... 9.8 - CRITICAL 2023-04-28 2023-05-05
CVE-2022-38583 json On versions of Sage 300 2017 - 2022 (6.4.x - 6.9.x) which are setup in a "Windows Peer-to-Peer Network" or "Client Server Net... 7.8 - HIGH 2023-04-28 2023-05-05
CVE-2022-34324 json Multiple SQL injections in Sage XRT Business Exchange 12.4.302 allow an authenticated attacker to inject malicious data in SQ... 8.8 - HIGH 2023-01-01 2023-01-09
CVE-2022-34323 json Multiple XSS issues were discovered in Sage XRT Business Exchange 12.4.302 that allow an attacker to execute JavaScript code ... 5.4 - MEDIUM 2023-01-01 2023-01-09
CVE-2022-34322 json Multiple XSS issues were discovered in Sage Enterprise Intelligence 2021 R1.1 that allow an attacker to execute JavaScript co... 9 - CRITICAL 2023-01-01 2023-01-09
CVE-2021-45492 json In Sage 300 ERP (formerly accpac) through 6.8.x, the installer configures the C:\Sage\Sage300\Runtime directory to be the fir... 7.8 - HIGH 2022-07-14 2023-08-08
CVE-2020-13893 json Multiple stored cross-site scripting (XSS) vulnerabilities in Sage EasyPay 10.7.5.10 allow authenticated attackers to inject ... 5.4 - MEDIUM 2020-10-18 2020-10-27
CVE-2020-7390 json Sage X3 Stored XSS Vulnerability on ‘Edit’ Page of User Profile. An authenticated user can pass XSS strings the "First Na... 5.4 - MEDIUM 2021-07-22 2023-11-07
CVE-2020-7389 json Sage X3 System CHAINE Variable Script Command Injection. An authenticated user with developer access can pass OS commands via... 7.2 - HIGH 2021-07-22 2022-07-15
Results limited to 20 most recent vulnerabilities

Known software with vulnerabilities from Sage

Type Vendor Product Version
ApplicationSageEasypay10.7.5.10
ApplicationSageSage Timesheet9.85.1
ApplicationSageXrt Treasury3.0