UNIT4 TETA Mobile Edition 29HF13 was discovered to contain a SQL injection vulnerability via the ProfileName parameter in the errorReporting page.
The vulnerability exist in the error page generated by the application (in this case: while changing password). Adding quotation mark to the ProfileName parameter will generate Oracle database error, meaning that the input is not being sanitized.
The vulnerability already has been reported to the UNIT4 via their service portal. The patch is already available to download (29.5.HF17).