Vulnerability Summary Vulnerability [1]: Unauthorized Access to Database Monitoring Module - CVE-2025-8765 Vulnerability Overview A non-default configuration in Sage DPW allows unauthorized access to diagnostic endpoints of the database monitoring functionality, exposing sensitive information (hashes, table names, etc.). This feature is disabled by default, unavailable in Sage DPW Cloud, and has been forcibly disabled in version 2025_06_003. Impact Scope Affected Component: endpoint Affected Versions: On-premise deployments with non-default configurations (prior to 2025_06_003) Sage DPW Cloud is not affected Remediation Upgrade to version 2025_06_003 or later This feature has been forcibly disabled --- Vulnerability [2]: User Enumeration via Login Feedback - CVE-2025-8766 Vulnerability Overview Sage DPW's login mechanism returns different responses for valid and invalid usernames, allowing attackers to enumerate accounts present in the system. Impact Scope Affected Component: Authentication/Login processing module Affected Versions: Versions prior to 2021_06_000 Sage DPW Cloud is not affected (this feature is not configurable) Remediation On-premise administrators can optionally toggle this behavior in newer versions --- Vulnerability [3]: Stored XSS via Email and HTTP-POST - CVE-2025-8767 Vulnerability Overview The evaluation and email functionality of the database monitoring module contains a stored XSS vulnerability where unfiltered input can lead to execution of HTML/JavaScript in the local user context. Impact is limited as payloads only run locally, and cookies are protected via HttpOnly. Impact Scope Affected Components: and email/POST functionality Affected Versions: On-premise deployments with non-default configurations (prior to 2025_06_004) Sage DPW Cloud is not affected Remediation Upgrade to version 2025_06_004 or later --- General Reference Information Security Advisory Source: Limes Security Official Reference: https://www.sagedpw.at/