Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions. Sage XRT Treasury is a business finance management application. Database user access privileges are determined by the USER_CODE field associated with the querying user. By modifying the USER_CODE value to match that of a privileged user, a low-privileged, authenticated user may gain privileged access to the SQL database. A remote, authenticated user can submit specially crafted SQL queries to gain privileged access to the application database.

Related CVEs

CVE-2017-3183

Key Information

GHSA ID

GHSA-pvcf-3v6c-7ppw

Published

May 13, 2022 1:36 AM

Last Modified

May 13, 2022 1:36 AM

CVSS Score

7.5 /10

Primary Ecosystem

Unknown

Primary Package

Unknown

GitHub Reviewed

✗ No

Dataset

Last updated: June 14, 2025 6:24 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.