search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Sage XRT Treasury database fails to properly restrict access to authorized users

Vulnerability Note VU#742632

Original Release Date: 2017-02-28 | Last Revised: 2017-02-28


Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions.


CWE-639: Authorization Bypass Through User-Controlled Key - CVE-2017-3183

Sage XRT Treasury is a business finance management application. Database user access privileges are determined by the USER_CODE field associated with the querying user. By modifying the USER_CODE value to match that of a privileged user, a low-privileged, authenticated user may gain privileged access to the SQL database.


A remote, authenticated user can submit specially crafted SQL queries to gain privileged access to the application database.


Apply an upgrade

The vendor has indicated that XRT Treasury version 4 addresses this issue. Users are encouraged to update to the latest release and to encrypt connections to the database server.

Vendor Information


Sage Affected

Notified:  December 06, 2016 Updated: February 21, 2017



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 9 AV:N/AC:L/Au:S/C:C/I:C/A:C
Temporal 7 E:POC/RL:OF/RC:C
Environmental 5.3 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND



Thanks to Victor Portal Gonzalez of Deloitte Spain for reporting this vulnerability.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2017-3183
Date Public: 2017-02-28
Date First Published: 2017-02-28
Date Last Updated: 2017-02-28 15:04 UTC
Document Revision: 16

Sponsored by CISA.