Epicor
Products
5- 7 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-42844 | Hig | 0.53 | 8.1 | 0.00 | Mar 6, 2025 | A SQL Injection vulnerability has been identified in EPICOR Prophet 21 (P21) up to 23.2.5232. This vulnerability allows authenticated remote attackers to execute arbitrary SQL commands through unsanitized user input fields to obtain unauthorized information | ||
| CVE-2015-2210 | Hig | 0.51 | 7.8 | 0.01 | Sep 6, 2017 | The help window in Epicor CRS Retail Store before 3.2.03.01.008 allows local users to execute arbitrary code by injecting Javascript into the window source to create a button that spawns a command shell. | ||
| CVE-2019-11033 | Med | 0.40 | 6.1 | 0.01 | May 16, 2019 | Applaud HCM 4.0.42+ uses HTML tag fields for HTML inputs in a form. This leads to an XSS vulnerability with a payload starting with the <iframe./> substring. | ||
| CVE-2021-35968 | Med | 0.28 | 4.3 | 0.01 | Jul 19, 2021 | The directory list page parameter of the Orca HCM digital learning platform fails to filter special characters properly. Remote attackers can access the system directory thru Path Traversal with users’ privileges. | ||
| CVE-2014-4311 | 0.03 | — | 0.06 | Nov 4, 2014 | Epicor Enterprise 7.4 before FS74SP6_HotfixTL054181 allows attackers to obtain the (1) Database Connection and (2) E-mail Connection passwords by reading HTML source code of the database connection and email settings page. | |||
| CVE-2014-4312 | 0.03 | — | 0.04 | Oct 10, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in Epicor Enterprise 7.4 before FS74SP6_HotfixTL054181 allow remote attackers to inject arbitrary web script or HTML via the (1) Notes section to Order details; (2) Description section to "Order to consume"; (3) Favorites name… | |||
| CVE-2025-22953 | 0.00 | — | 0.02 | Mar 28, 2025 | A SQL injection vulnerability exists in Epicor HCM 2021 1.9, with patches available: 5.16.0.1033/HCM2022, 5.17.0.1146/HCM2023, and 5.18.0.573/HCM2024. The injection is specifically in the filter parameter of the JsonFetcher.svc endpoint. An attacker can exploit this… | |||
| CVE-2022-46903 | 0.00 | — | 0.00 | Dec 12, 2022 | Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an authenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Stored XSS. | |||
| CVE-2022-46906 | 0.00 | — | 0.00 | Dec 12, 2022 | Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an authenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Reflected XSS. | |||
| CVE-2022-46905 | 0.00 | — | 0.00 | Dec 12, 2022 | Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an unauthenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Reflected XSS. | |||
| CVE-2022-46904 | 0.00 | — | 0.00 | Dec 12, 2022 | Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an authenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Self-XSS. | |||
| CVE-2014-4313 | 0.00 | — | 0.02 | Oct 10, 2014 | SQL injection vulnerability in Epicor Procurement before 7.4 SP2 allows remote attackers to execute arbitrary SQL commands via the User field. |
- risk 0.53cvss 8.1epss 0.00
A SQL Injection vulnerability has been identified in EPICOR Prophet 21 (P21) up to 23.2.5232. This vulnerability allows authenticated remote attackers to execute arbitrary SQL commands through unsanitized user input fields to obtain unauthorized information
- risk 0.51cvss 7.8epss 0.01
The help window in Epicor CRS Retail Store before 3.2.03.01.008 allows local users to execute arbitrary code by injecting Javascript into the window source to create a button that spawns a command shell.
- risk 0.40cvss 6.1epss 0.01
Applaud HCM 4.0.42+ uses HTML tag fields for HTML inputs in a form. This leads to an XSS vulnerability with a payload starting with the <iframe./> substring.
- risk 0.28cvss 4.3epss 0.01
The directory list page parameter of the Orca HCM digital learning platform fails to filter special characters properly. Remote attackers can access the system directory thru Path Traversal with users’ privileges.
- CVE-2014-4311Nov 4, 2014risk 0.03cvss —epss 0.06
Epicor Enterprise 7.4 before FS74SP6_HotfixTL054181 allows attackers to obtain the (1) Database Connection and (2) E-mail Connection passwords by reading HTML source code of the database connection and email settings page.
- CVE-2014-4312Oct 10, 2014risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in Epicor Enterprise 7.4 before FS74SP6_HotfixTL054181 allow remote attackers to inject arbitrary web script or HTML via the (1) Notes section to Order details; (2) Description section to "Order to consume"; (3) Favorites name…
- CVE-2025-22953Mar 28, 2025risk 0.00cvss —epss 0.02
A SQL injection vulnerability exists in Epicor HCM 2021 1.9, with patches available: 5.16.0.1033/HCM2022, 5.17.0.1146/HCM2023, and 5.18.0.573/HCM2024. The injection is specifically in the filter parameter of the JsonFetcher.svc endpoint. An attacker can exploit this…
- CVE-2022-46903Dec 12, 2022risk 0.00cvss —epss 0.00
Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an authenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Stored XSS.
- CVE-2022-46906Dec 12, 2022risk 0.00cvss —epss 0.00
Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an authenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Reflected XSS.
- CVE-2022-46905Dec 12, 2022risk 0.00cvss —epss 0.00
Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an unauthenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Reflected XSS.
- CVE-2022-46904Dec 12, 2022risk 0.00cvss —epss 0.00
Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an authenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Self-XSS.
- CVE-2014-4313Oct 10, 2014risk 0.00cvss —epss 0.02
SQL injection vulnerability in Epicor Procurement before 7.4 SP2 allows remote attackers to execute arbitrary SQL commands via the User field.