CVE-2014-4312
CVE-2014-4312
Multiple cross-site scripting (XSS) vulnerabilities in Epicor Enterprise 7.4 before FS74SP6_HotfixTL054181 allow remote attackers to inject arbitrary web script or HTML via the (1) Notes section to Order details; (2) Description section to "Order to consume"; (3) Favorites name section to Favorites; (4) FiltKeyword parameter to Procurement/EKPHTML/search_item_bt.asp; (5) Act parameter to Procurement/EKPHTML/EnterpriseManager/Budget/ImportBudget_fr.asp; (6) hdnOpener or (7) hdnApproverFieldName parameter to Procurement/EKPHTML/EnterpriseManager/UserSearchDlg.asp; or (8) INTEGRATED parameter to Procurement/EKPHTML/EnterpriseManager/Codes.asp.
Affected products
n/a · n/apublic PoCs found — 3
cve_referencepacketstormsecurity.com/files/128511/Epicor-Password-Disclosure-Cross-Site-Scripting.htmlunverifiedcve_referencewww.exploit-db.com/exploits/34864unverifiedexploitdbwww.exploit-db.com/exploits/34864unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://osvdb.org/show/osvdb/112464http://osvdb.org/show/osvdb/112465http://osvdb.org/show/osvdb/112466http://osvdb.org/show/osvdb/112467http://osvdb.org/show/osvdb/112469http://osvdb.org/show/osvdb/112470http://osvdb.org/show/osvdb/112471http://packetstormsecurity.com/files/128511/Epicor-Password-Disclosure-Cross-Site-Scripting.htmlhttp://seclists.org/fulldisclosure/2014/Oct/2https://exchange.xforce.ibmcloud.com/vulnerabilities/96793http://www.exploit-db.com/exploits/34864http://www.securityfocus.com/bid/70192