Server-Side Request Forgery in Sage products

Posted date 31/10/2023
Importance
4 - High
Affected Resources
  • XRT Business Exchange DMZ and Proxy Tools,14.0.2.2259 versions and earlier.
Description

INCIBE has coordinated the publication of 1 vulnerability that affects Sage XRT Business Exchange DMZ and Proxy Tools, a solution for the exchange of financial data within the group and with financial institutions, which has been discovered by Rafael Pedrero.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector string, and CWE vulnerability type:

  • CVE-2023-4660: CVSS v3.1: 7.5 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | CWE-918.
Solution

The vulnerability has been fixed by the Sage team. Affected customers are advised to upgrade to the following software versions:

  • 15.0.1
  • 14.0.108
  • 14.0.5
Detail

CVE-2023-4660: a server-side request forgery (SSRF) vulnerability has been reported in Sage's XRT Business Exchange DMZ and Proxy Tools, affecting version 14.0.2.2259 and earlier. This vulnerability could allow an attacker to brute force a vulnerable server and trigger malicious requests to third-party servers or internal resources.

References list