Search
Search Results (5 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-67805 | 1 Sage | 1 Dpw | 2026-04-02 | 5.9 Medium |
| A non-default configuration in Sage DPW 2025_06_004 allows unauthenticated access to diagnostic endpoints within the Database Monitor feature, exposing sensitive information such as hashes and table names. This feature is disabled by default in all installations and never available in Sage DPW Cloud. It was forcibly disabled again in version 2025_06_003. | ||||
| CVE-2025-67806 | 1 Sage | 1 Dpw | 2026-04-02 | 3.7 Low |
| The login mechanism of Sage DPW 2021_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behavior in newer versions. | ||||
| CVE-2025-67807 | 1 Sage | 1 Dpw | 2026-04-02 | 4.7 Medium |
| The login mechanism of Sage DPW 2025_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behaviour in newer versions. | ||||
| CVE-2025-51531 | 2 Sage, Sagedpw | 2 Dpw, Sage Dpw | 2025-10-01 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability in Sage DPW 2024_12_004 and earlier allows attackers to execute arbitrary JavaScript in the context of a victim's browser via injecting a crafted payload into the tabfields parameter at /dpw/scripts/cgiip.exe/WService. The vendor has stated that the issue is fixed in 2025_06_000, released in June 2025. | ||||
| CVE-2025-51533 | 2 Sage, Sagedpw | 2 Dpw, Sage Dpw | 2025-10-01 | 5.3 Medium |
| An Insecure Direct Object Reference (IDOR) in Sage DPW v2024_12_004 and below allows unauthorized attackers to access internal forms via sending a crafted GET request. | ||||
Page 1 of 1.