A security risk within Sage X3 has been discovered that may impact customers using Sage X3, Sage X3 Warehousing, Sage X3 HR and Payroll and HRU9.

We encourage you to always follow our Security Best Practices published on the Sage X3 Online help to reduce security risks.

There are two specific alerts that have been identified:

• Stored cross-site scripting in the Web interface (Critical): An authenticated user can craft a malicious payload that will cause arbitrary JavaScript code to be executed in the context of the victim user visiting the vulnerable page. 
  
• CSV formula injection in CSV export feature (Major): An authenticated user can build a malicious formula to run arbitrary command in the system environment of a victim user from Microsoft Excel or LibreOffice, if that user has a reduced Microsoft Excel or LibreOffice Calc security level. 

Security updates delivered by Sage according to the Lifecycle Policy:

These are available on our ftp site for download. We strongly advise you apply all security patches issued by Sage

• For Version 11: This SyracuseServer 11.30.5 component (fix) applies to the latest patch level V11 patch 22. (Fixes the critical vulnerability)
• For HRU9: This SyracuseServer 12.17.12 component (fix) applies to the latest patch level HRU9 patch 29. (Fixes both vulnerabilities)
• For Version 12:  The following SyracuseServer components have been delivered for the V12 Releases below:

SyracuseServer 12.17.12  for V12.0.32 (2022 R4) (Fixes both vulnerabilities)

SyracuseServer 12.16.4  for V12.0.31 (2022 R3) (Fixes both vulnerabilities)

SyracuseServer 12.15.5 for V12.0.30 (2022 R2)  (Fixes both vulnerabilities)

SyracuseServer 12.14.8 for V12.0.29 (2022 R1)  (Fixes the critical vulnerability)