Login Sign Up

CVE-2023-31867

7.2 HIGH

📋 TL;DR

Sage X3 version 12.14.0.50-0 is vulnerable to CSV injection, which allows attackers to embed malicious formulas in exported CSV files. When users open these files in spreadsheet applications like Excel, the formulas can execute arbitrary commands, potentially leading to data theft or system compromise. This affects organizations using the vulnerable Sage X3 version.

💻 Affected Systems

Products:
  • Sage X3
Versions: 12.14.0.50-0
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the CSV export functionality; all default configurations are affected.

📦 What is this software?

X3 by Sage

View all CVEs affecting X3 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary commands on victim systems, leading to full system compromise, data exfiltration, or ransomware deployment.

🟠

Likely Case

Attackers trick users into opening malicious CSV files, leading to command execution in spreadsheet applications, potentially stealing credentials or sensitive data.

🟢

If Mitigated

With proper user training and application controls, the risk is limited to isolated spreadsheet incidents without broader system impact.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction to open a malicious CSV file; public proof-of-concept is available in advisory references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Sage X3 updates post-12.14.0.50-0

Vendor Advisory: http://sage.com

Restart Required: Yes

Instructions:

1. Check Sage X3 version. 2. Apply the latest patch from Sage. 3. Restart the Sage X3 service. 4. Verify the fix by testing CSV export functionality.

🔧 Temporary Workarounds

Disable CSV Export

all

Temporarily disable CSV export functionality in Sage X3 to prevent exploitation.

Consult Sage X3 administration guide for disabling specific modules.

User Training

all

Train users to not open CSV files from untrusted sources and to disable automatic formula execution in spreadsheet applications.

🧯 If You Can't Patch

  • Implement strict access controls to limit who can export CSV files.
  • Use application whitelisting to prevent execution of malicious commands from spreadsheet applications.

🔍 How to Verify

Check if Vulnerable:

Check if Sage X3 version is 12.14.0.50-0 via administration console or version command.

Check Version:

Check Sage X3 administration panel or run version query specific to your deployment.

Verify Fix Applied:

After patching, test CSV export to ensure no malicious formulas can be injected; verify version is updated.

📡 Detection & Monitoring

Log Indicators:

  • Unusual CSV export activities
  • Failed export attempts with suspicious payloads

Network Indicators:

  • Unexpected outbound connections from systems after opening CSV files

SIEM Query:

source="sage_x3" AND event="csv_export" AND payload CONTAINS "=" OR "+"

📊 Metadata

CVE ID: CVE-2023-31867
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1236
Published: June 22, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31867, you might also want to check these:

CVE-2022-45360 9.8

This vulnerability allows CSV injection attacks in the WordPress Commenter Emails plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-45810 9.8

This CVE describes a CSV injection vulnerability in the Icegram Express WordPress plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-46803 9.8

This vulnerability allows unauthenticated attackers to inject malicious formulas into CSV files expo...

Same vulnerability type (CWE-1236)