CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-34324
https://notcve.org/view.php?id=CVE-2022-34324
01 Jan 2023 — Multiple SQL injections in Sage XRT Business Exchange 12.4.302 allow an authenticated attacker to inject malicious data in SQL queries: Add Currencies, Payment Order, and Transfer History. Múltiples inyecciones de SQL en Sage XRT Business Exchange 12.4.302 permiten a un atacante autenticado inyectar datos maliciosos en consultas SQL: agregar monedas, orden de pago e historial de transferencias. • https://www.synacktiv.com/sites/default/files/2022-12/sage_xrt_multiple_sqli_1.pdf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-34323
https://notcve.org/view.php?id=CVE-2022-34323
01 Jan 2023 — Multiple XSS issues were discovered in Sage XRT Business Exchange 12.4.302 that allow an attacker to execute JavaScript code in the context of other users' browsers. The attacker needs to be authenticated to reach the vulnerable features. An issue is present in the Filters and Display model features (OnlineBanking > Web Monitoring > Settings > Filters / Display models). The name of a filter or a display model is interpreted as HTML and can thus embed JavaScript code, which is executed when displayed. This i... • https://www.synacktiv.com/sites/default/files/2022-12/sage_xrt_multiple_xss.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •