CVE-2022-34322

CRITICAL

Published Jan 1, 20233y ago · Modified Jun 17, 20261w ago

9.0 CVSS 3.1

Critical

Published Jan 1, 2023 3y ago

Last Modified Jun 17, 2026 1w ago

Description

Multiple XSS issues were discovered in Sage Enterprise Intelligence 2021 R1.1 that allow an attacker to execute JavaScript code in the context of users' browsers. The attacker needs to be authenticated to reach the vulnerable features. An issue is present in the Notify Users About Modification menu and the Notifications feature. A user can send malicious notifications and execute JavaScript code in the browser of every user who has enabled notifications. This is a stored XSS, and can lead to privilege escalation in the context of the application. (Another issue is present in the Favorites tab. The name of a favorite or a folder of favorites is interpreted as HTML, and can thus embed JavaScript code, which is executed when displayed. This is a self-XSS.)

CVSS Details

Base Score

9.0

Exploitability

2.3

Impact

6.0

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction Required

Scope Changed

Confidentiality High

Integrity High

Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

Vendor	Product	Version	Range
sage	sage_enterprise_intelligence	2021_r1.1	any

References 1

synacktiv.com https://www.synacktiv.com/sites/default/files/2022-12/sage_sei_multiple_xss.pdf

ExploitTechnical DescriptionThird Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.