Epicor Procurement SQL Injection

Epicor Procurement SQL Injection

- Affected vendor: Epicor Software Corporation
- Affected system: Epicor Procurement
- Vendor disclosure date: May 13th, 2014
- Public disclosure date: October 3rd, 2014
- Status: Fixed

- Associated CVE: CVE-2014-4313
- Associated CAPEC: CAPEC-66
 SQL Injection - http://capec.mitre.org/data/definitions/66.html

- Description:
The Epicor Desktop software is susceptible to SQL injection (i.e. being able to query and manipulate data stored in the database used as a backend of the application, by injecting SQL statements).
 Furthermore, error messages generated by the database are shown to users.

Example of affected field:
- User (field displayed during login with "Use SQL server authentication")

- Available fix:
Epicor Procurement 7.4 SP2

- Related Links: Deloitte Argentina - www.deloitte.com/ar

- Credit:
This vulnerability was discovered by Luciano Martins.

 If you have any questions, comments, concerns, updates or suggestions please contact Luciano Martins:
 - Email: lmartins@deloitte com
 - Twitter: @clucianomartins