Malik Tawfiq

**Name of the Vulnerable Software and Affected Versions** Epicor HCM version 2021 1.9 **Description** A SQL injection issue exists, specifically in the `filter` parameter of the "JsonFetcher.svc" endpoint. An attacker can exploit this by injecting malicious SQL payloads into the `filter` parameter, enabling the unauthorized execution of arbitrary SQL commands on the backend database. If certain features, like `xp cmdshell`, are enabled, this may lead to remote code execution. **Recommendations** For Epicor HCM version 2021 1.9, consider disabling the `JsonFetcher.svc` endpoint or restricting access to the `filter` parameter until a patch is available. Avoid using the `filter` parameter in the affected endpoint until the issue is resolved.