A security risk related to the Syracuse Server has been detected within Sage X3 that may impact customers using Sage X3.  The risk affects 2023 R1, 2023 R2. The fixes are available for download on our ftp site.

The Syracuse Server Hotfix 12.19.12.2 is available on our ftp Server and contains these fixes as well.

The details of the vulnerabilities below:  

1. Information Disclosure (Severity: Medium): Some endpoints in Sage X3 allow a user with sufficient access rights to read object properties that are not meant to be disclosed. This is restricted to objects the user has access to, depending on their role and access rights in Sage X3. Object properties that are not meant to be disclosed are no longer displayed in any scenario. 

2. Brute force attack – Login credentials (Severity: Medium): The X3 basic login screen may allow an attacker to perform brute force attacks and gain unauthorized access in case of success. This attack scenario is possible only when basic (user / password) authentication is used. Reminder: As per Sage security guidelines, basic authentication (user / password) must never be used in production instances. 

3. Mass Assignment (Severity: Medium): The Sage X3 REST API allows a user with sufficient access rights to modify object properties that are not meant to be modifiable. This is only possible for objects the user has access to, depending on their role and access rights in X3. Object properties that are not meant to be modified by a user are no longer modifiable via the REST API. 

Please refer to the current security best practice recommendations available via the Sage X3 Online Help Center.