A security risk has been detected within Sage X3 that may impact customers using Sage X3 and Sage X3 Warehousing. The security risk is related to a platform component: Syracuse Server.

Please make sure the following instructions are carefully reviewed for all customers: 

• Please review updated security guidelines in the Sage X3 Online Help 

Sage provides a set of guidelines outlining best practices for deploying Sage X3 in a secure way. Our recommendation is that customers review these guidelines to ensure that Sage X3 is deployed securely. Please refer to the current security best practice recommendations available via the Sage X3 Online Help Center. 

• Security Syracuse Server hotfixes: 

Syracuse Server security fixes are available here:

For Patch 33 (12.18.18.3)

For Patch 34 (12.19.10.10)

Please see the details of the vulnerabilities below:  

Information Disclosure (Severity: Medium): Some endpoints in Sage X3 allow a user with sufficient access rights to read object properties that are not meant to be disclosed. This is restricted to objects the user has access to, depending on their role and access rights in Sage X3. Object properties that are not meant to be disclosed are no longer displayed in any scenario. 

Brute force attack – Login credentials (Severity: Medium): The X3 basic login screen may allow an attacker to perform brute force attacks and gain unauthorized access in case of success. This attack scenario is possible only when basic (user / password) authentication is used. Reminder: As per Sage security guidelines, basic authentication (user / password) must never be used in production instances. 

Mass Assignment (Severity: Medium): The Sage X3 REST API allows a user with sufficient access rights to modify object properties that are not meant to be modifiable. This is only possible for objects the user has access to, depending on their role and access rights in X3. Object properties that are not meant to be modified by a user are no longer modifiable via the REST API.