CVE-2024-42844

Vulnerability

Overview

CVE-2024-42844 is an authenticated SQL injection vulnerability in EPICOR Prophet 21 (P21) up to version 23.2.5232. The root cause is unsanitized user input fields that fail to properly neutralize special SQL elements, enabling an attacker to inject arbitrary SQL commands into queries executed by the application [1].

Exploitation

The attack vector is remote and requires prior authentication, meaning an attacker must have valid credentials to exploit the flaw. Once authenticated, the attacker supplies malicious SQL payloads via the vulnerable input fields, and the application processes them without adequate sanitization, leading to unauthorized database interaction [1].

Impact

Successful exploitation allows an authenticated remote attacker to execute arbitrary SQL commands against the backend database. This can result in the unauthorized retrieval, modification, or deletion of sensitive data, potentially compromising the confidentiality and integrity of the system [1].

Mitigation

EPICOR has released a fix in version 24.1.5358. Customers are advised to upgrade to this version or later. Additional details are available in EpicCare article KB0138127 [1].