Server-Side Request Forgery in Sage products

Posted date 31/10/2023
4 - High
Affected Resources
  • XRT Business Exchange DMZ and Proxy Tools, versions and earlier.

INCIBE has coordinated the publication of 1 vulnerability that affects Sage XRT Business Exchange DMZ and Proxy Tools, a solution for the exchange of financial data within the group and with financial institutions, which has been discovered by Rafael Pedrero.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector string, and CWE vulnerability type:

  • CVE-2023-4660: CVSS v3.1: 7.5 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | CWE-918.

The vulnerability has been fixed by the Sage team. Affected customers are advised to upgrade to the following software versions:

  • 15.0.1
  • 14.0.108
  • 14.0.5

CVE-2023-4660: a server-side request forgery (SSRF) vulnerability has been reported in Sage's XRT Business Exchange DMZ and Proxy Tools, affecting version and earlier. This vulnerability could allow an attacker to brute force a vulnerable server and trigger malicious requests to third-party servers or internal resources.

References list