CVE-2014-4311
medium
CVSS v3
—
CVSS v4 NEW
—
VIR risk
6.0
Description
Epicor Enterprise 7.4 before FS74SP6_HotfixTL054181 allows attackers to obtain the (1) Database Connection and (2) E-mail Connection passwords by reading HTML source code of the database connection and email settings page.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Epicor Enterprise 7.4 - Multiple Vulnerabilities
"Epicor Enterprise vulnerabilities"
- Affected vendor: Epicor Software Corporation
- Affected system: Epicor Enterprise - Version 7.4
- Vendor disclosure date: May 13th, 2014
- Public disclosure date: September 30th, 2014
- Status: Fixed
- Associated CVEs:
1) CVE-2014-4311
Password values not masked appropriately:
Even though the application appears to be masking the affected password values
in the database connection and email settings page, it is possible to access
their content by observing the HTML code.
Affected password values:
- “Database Connection”
- “E-mail Connection”
Associated CAPEC:
CAPEC-167: Lifting Sensitive Data from the Client -
https://capec.mitre.org/data/definitions/167.html
Associated CWE:
CWE-200: Information Exposure - http://cwe.mitre.org/data/definitions/200.html
2) CVE-2014-4312
Persistent and reflective cross-site scripting (XSS) attacks possible:
The identified website is vulnerable to persistent and reflective cross-site
scripting. Script injection is a weakness within an application, and is due to
insufficient validation of the input data (i.e. input data being sent from the
user/presentation layer) and output encoding allowing dynamic execution of
scripts on the application front end resulting in anomalous/abnormal behaviour
of the application.
Example of affected functionalities for persistent XSS:
- 1. While viewing Order details, and injecting a malicious payload on the
"Notes" section.
- 2. While modifying an “Order to consume” and injecting a malicious payload
on the "Description" section.
- 3. While observing the “Favorites” section and and injecting a malicious
payload on the “Favorites name” section.
Example of an injected payload: <script>alert("XSS")</script>
Example of affected URLs for reflective XSS:
- 1.
https://XXXXX/Procurement/EKPHTML/search_item_bt.asp?RecordsRequested=Yes&FiltPartNo=&FiltSupplier=-1&FiltKeyword=<script>alert("XSS")</script>
- 2.
https://XXXXX/Procurement/EKPHTML/EnterpriseManager/Budget/ImportBudget_fr.asp?Act=dtt"><script>alert("XSS")</script>
- 3. https://XXXXX
/Procurement/EKPHTML/EnterpriseManager/UserSearchDlg.asp?hdnPageName=UserSearch&hdnOpenerFormName=PrefApp&hdnApproverFieldName=temp1&hdnApproverIDFieldName=temp2&hdnUserID=200&hdnOpener=Test"><script>alert("XSS")</script>
- 4.
https://XXXXX/Procurement/EKPHTML/EnterpriseManager/UserSearchDlg.asp?hdnOpenerFormName=PrefApp&hdnApproverFieldName="><script>alert("XSS")</script>
- 5.
https://XXXXX/Procurement/EKPHTML/EnterpriseManager/Codes.asp?INTEGRATED=XSS">--><script>alert("XSS")</script>
Associated CAPEC:
CAPEC-32: Embedding Scripts in HTTP Query Strings -
https://capec.mitre.org/data/definitions/32.html
Associated CWE:
CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting') - http://cwe.mitre.org/data/definitions/79.html
- Available fix:
Epicor Enterprise Hotfix: FS74SP6_HotfixTL054181
- Credit:
These vulnerabilities were discovered by Fara Rustein.
If you have any questions, comments, concerns, updates or suggestions please
contact Fara Rustein (TW: @fararustein).Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| epicor | epicor_enterprise | {"endIncluding":"7.4"} | |
References
- http://packetstormsecurity.com/files/128511/Epicor-Password-Disclosure-Cross-Site-Scripting.html
- http://seclists.org/fulldisclosure/2014/Oct/2
- http://www.exploit-db.com/exploits/34864
- http://packetstormsecurity.com/files/128511/Epicor-Password-Disclosure-Cross-Site-Scripting.html
- http://seclists.org/fulldisclosure/2014/Oct/2
- http://www.exploit-db.com/exploits/34864
CWEs
CWE-200
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.