CVE-2025-67806 describes an account-enumeration weakness in the Sage DPW login mechanism. In affected versions, the login flow can return distinct responses for valid versus invalid usernames, which can let an attacker confirm whether an account exists. NVD rates the issue low severity (CVSS 3.7) and maps it to CWE-203/CWE-204. The record also notes that on-premise administrators can toggle this behavior [truncated]
CVE-2025-67805 describes an exposure in Sage DPW 2025_06_004 where a non-default Database Monitor configuration can allow unauthenticated access to diagnostic endpoints. According to the source description, the affected endpoints can expose sensitive information such as hashes and table names. The feature is disabled by default in all installations, never available in Sage DPW Cloud, and was forcibly disa [truncated]
