sagedpw 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには vendor risk cross-site scripting and パス処理の欠陥 があり、vendor surface software deployment and vendor surface production workloads の利用場面で vendor impact session compromise and ファイル上書き などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-67807 | The login mechanism of Sage DPW 2025_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behaviour in newer versions. | [email protected] | 4.7 | 0.03% | 2026-04-01 | 2026-04-07 |
| CVE-2025-67806 | The login mechanism of Sage DPW 2021_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behavior in newer versions. | [email protected] | 3.7 | 0.03% | 2026-04-01 | 2026-05-10 |
| CVE-2025-67805 | A non-default configuration in Sage DPW 2025_06_004 allows unauthenticated access to diagnostic endpoints within the Database Monitor feature, exposing sensitive information such as hashes and table names. This feature is disabled by default in all installations and never available in Sage DPW Cloud. It was forcibly disabled again in version 2025_06_003. | [email protected] | 5.9 | 0.03% | 2026-04-01 | 2026-05-10 |
| CVE-2025-51533 | An Insecure Direct Object Reference (IDOR) in Sage DPW v2024_12_004 and below allows unauthorized attackers to access internal forms via sending a crafted GET request. | [email protected] | 5.3 | 0.26% | 2025-08-07 | 2025-10-01 |
| CVE-2025-51532 | Incorrect access control in Sage DPW 2024_12_004 and earlier allows unauthorized attackers to access the built-in Database Monitor via a crafted request. The vendor has stated that the issue is fixed in 2025_06_000, released in June 2025. | [email protected] | 7.5 | 0.31% | 2025-08-06 | 2025-10-01 |
| CVE-2025-51531 | A reflected cross-site scripting (XSS) vulnerability in Sage DPW 2024_12_004 and earlier allows attackers to execute arbitrary JavaScript in the context of a victim's browser via injecting a crafted payload into the tabfields parameter at /dpw/scripts/cgiip.exe/WService. The vendor has stated that the issue is fixed in 2025_06_000, released in June 2025. | [email protected] | 6.1 | 0.18% | 2025-08-06 | 2025-10-01 |
| CVE-2024-56883 | Sage DPW before 2024_12_001 is vulnerable to Incorrect Access Control. The implemented role-based access controls are not always enforced on the server side. Low-privileged Sage users with employee role privileges can create external courses for other employees, even though they do not have the option to do so in the user interface. To do this, a valid request to create a course simply needs to be modified, so that the current user ID in the "id" parameter is replaced with the ID of another user | [email protected] | 8.1 | 3.06% | 2025-02-18 | 2025-09-25 |
| CVE-2024-56882 | Sage DPW before 2024_12_000 is vulnerable to Cross Site Scripting (XSS). Low-privileged Sage users with employee role privileges can permanently store JavaScript code in the Kurstitel and Kurzinfo input fields. The injected payload is executed for each authenticated user who views and interacts with the modified data elements. | [email protected] | 5.4 | 0.43% | 2025-02-18 | 2025-10-01 |
| CVE-2020-26584 | An issue was discovered in Sage DPW 2020_06_x before 2020_06_002. The search field "Kurs suchen" on the page Kurskatalog is vulnerable to Reflected XSS. If the attacker can lure a user into clicking a crafted link, he can execute arbitrary JavaScript code in the user's browser. The vulnerability can be used to change the contents of the displayed site, redirect to other sites, or steal user credentials. Additionally, users are potential victims of browser exploits and JavaScript malware. | [email protected] | 6.1 | 0.45% | 2020-10-16 | 2024-11-21 |
| CVE-2020-26583 | An issue was discovered in Sage DPW 2020_06_x before 2020_06_002. It allows unauthenticated users to upload JavaScript (in a file) via the expenses claiming functionality. However, to view the file, authentication is required. By exploiting this vulnerability, an attacker can persistently include arbitrary HTML or JavaScript code into the affected web page. The vulnerability can be used to change the contents of the displayed site, redirect to other sites, or steal user credentials. Additionally | [email protected] | 6.1 | 0.78% | 2020-10-16 | 2024-11-21 |