Epicor Procurement SQL Injection - Affected vendor: Epicor Software Corporation - Affected system: Epicor Procurement - Vendor disclosure date: May 13th, 2014 - Public disclosure date: October 3rd, 2014 - Status: Fixed - Associated CVE: CVE-2014-4313 - Associated CAPEC: CAPEC-66 SQL Injection - http://capec.mitre.org/data/definitions/66.html - Description: The Epicor Desktop software is susceptible to SQL injection (i.e. being able to query and manipulate data stored in the database used as a backend of the application, by injecting SQL statements). Furthermore, error messages generated by the database are shown to users. Example of affected field: - User (field displayed during login with "Use SQL server authentication") - Available fix: Epicor Procurement 7.4 SP2 - Related Links: Deloitte Argentina - www.deloitte.com/ar - Credit: This vulnerability was discovered by Luciano Martins. If you have any questions, comments, concerns, updates or suggestions please contact Luciano Martins: - Email: lmartins@deloitte com - Twitter: @clucianomartins