x Want to participate? Join the group to interact
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 2 replies
  • Subscribers 76 subscribers
  • Views 965 views
  • Users 0 members are here
Browse Forums
Announcements
78
topics
166
replies
General Discussion
5k
topics
16k
replies
Installation and Upgrades
976
topics
2k
replies
Inventory, Projects, and Departments
337
topics
1k
replies
Payables and Receivables
1k
topics
4k
replies
Payroll
1k
topics
3k
replies
Reconciliation and Banking
316
topics
995
replies
Reporting and Analytics
206
topics
399
replies
Soutien Technique - Français
626
topics
1k
replies
Year End Activities
223
topics
595
replies
Michael Free

Security Vulnerability fix for CVE-2018-8269? ('Microsoft.Data.OData' Denial of Service Vulnerability)

SOLVED
Posted By

Sage 50 appears to be using an older version of microsoft.data.odata.dll in it's latest release (2022.2), which makes it vulnerable to a Denial of Service attack. 

Is there any plan for an upgrade to v5.8.4 or higher?

Location: c:\program files (x86)\sage 50 premium accounting version 2022\sageoverdrive\connectivityadapters\graphexcelapi\

Reference: msrc.microsoft.com/.../CVE-2018-8269

  • 0

    Hi Michael,

    Thanks for bringing this to our attention. Sage takes the security of our products seriously and as such, I have forwarded your feedback onto the Sage 50 Support team for review and follow-up. Will update you with any news.

    Warm Regards,
    Erzsi

  • +1
    verified answer

    Thank you for bringing this potential vulnerability to our attention.  Upon review by our product development and security engineers of the information available about the vulnerability and how it might be exploited, we are confident that there is no risk that is posed to our customers caused by the presence of this DLL.

    As Sage 50 is desktop software typically used in local area networks or standalone environments, and not a web application run by internet-connected servers, there is no exposure to a DOS (Denial of Service) attack.

    The file is loaded dynamically at run time for a specific purpose but it is not called from a web application.  Sage 50 is not a web application and is not typically installed nor used on any server running web applications accessible over the internet.  

    The file is used only when connecting to Microsoft 365 to synchronize data to the cloud.  If a customer is not using this service, the file can be safely deleted from their local machine without any impact on the software.

*Community Hub is the new name for Sage City