CVE-2023-31868: Sage X3 version 12.14.0.50-0 is vulnerable to Cross Site Scripting (XSS).
Sage X3 version 12.14.0.50-0 is vulnerable to Cross Site Scripting (XSS). Some parts of the Web application are dynamically built using user's inputs. Yet, those inputs are not verified nor filtered by the application, so they mathed the expected format. Therefore, when HTML/JavaScript code is injected into those fields, this code will be saved by the application and executed by the web browser of the user viewing the web page. Several injection points have been identified on the application. The major one requires the user to be authenticated with a common account, he can then target an Administrator. All others endpoints need the malicious user to be authenticated as an Administrator. Therefore, the impact is diminished.
Security readout for executives and security teams
CVE-2023-31868 is a stored cross-site scripting issue reported in Sage X3 version 12.14.0.50-0. An authenticated user may save malicious HTML or JavaScript into application fields, causing it to run in another user's browser, including potentially an administrator. Exposure appears limited to organizations running Sage X3 version 12.14.0.50-0 with authenticated user access to affected web application areas. Prioritize if Sage X3 is used for sensitive business operations or has broad authenticated access. The risk is not confirmed as actively exploited, but administrator-targeted stored XSS can support account compromise or workflow manipulation. Mitigation focus: Identify whether Sage X3 version 12.14.0.50-0 is deployed.; Check Sage guidance for fixed versions, patches, or configuration mitigations.; Restrict Sage X3 access to trusted users and managed networks..
Prepared
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-31868 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.