CVE-2014-4312

Name of the Vulnerable Software and Affected Versions Epicor Enterprise version 7.4 before FS74SP6 HotfixTL054181

Description The issue allows remote attackers to inject arbitrary web script or HTML via several sections and parameters, including the Notes section to Order details, the Description section to "Order to consume", the Favorites name section to Favorites, the FiltKeyword parameter to "Procurement/EKPHTML/search item bt.asp", the Act parameter to "Procurement/EKPHTML/EnterpriseManager/Budget/ImportBudget fr.asp", the hdnOpener or hdnApproverFieldName parameter to "Procurement/EKPHTML/EnterpriseManager/UserSearchDlg.asp", or the INTEGRATED parameter to "Procurement/EKPHTML/EnterpriseManager/Codes.asp".

Recommendations For Epicor Enterprise version 7.4 before FS74SP6 HotfixTL054181, apply the FS74SP6 HotfixTL054181 patch to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints and parameters, such as "Procurement/EKPHTML/search item bt.asp", "Procurement/EKPHTML/EnterpriseManager/Budget/ImportBudget fr.asp", "Procurement/EKPHTML/EnterpriseManager/UserSearchDlg.asp", and "Procurement/EKPHTML/EnterpriseManager/Codes.asp", until the patch is applied. Avoid using the FiltKeyword, Act, hdnOpener, hdnApproverFieldName, and INTEGRATED parameters in the affected API endpoints until the issue is resolved.