Search criteria
72 vulnerabilities found for ec-cube by ec-cube
FKIE_CVE-2023-46845
Vulnerability from fkie_nvd - Published: 2023-11-07 08:15 - Updated: 2024-11-21 08:29
Severity ?
Summary
EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN29195731/ | Third Party Advisory | |
| vultures@jpcert.or.jp | https://www.ec-cube.net/info/weakness/20231026/index.php | Exploit, Patch, Vendor Advisory | |
| vultures@jpcert.or.jp | https://www.ec-cube.net/info/weakness/20231026/index_3.php | Exploit, Patch, Vendor Advisory | |
| vultures@jpcert.or.jp | https://www.ec-cube.net/info/weakness/20231026/index_40.php | Exploit, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN29195731/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.ec-cube.net/info/weakness/20231026/index.php | Exploit, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.ec-cube.net/info/weakness/20231026/index_3.php | Exploit, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.ec-cube.net/info/weakness/20231026/index_40.php | Exploit, Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ec-cube | ec-cube | * | |
| ec-cube | ec-cube | * | |
| ec-cube | ec-cube | * | |
| ec-cube | ec-cube | * | |
| ec-cube | ec-cube | 3.0.18 | |
| ec-cube | ec-cube | 3.0.18 | |
| ec-cube | ec-cube | 3.0.18 | |
| ec-cube | ec-cube | 3.0.18 | |
| ec-cube | ec-cube | 3.0.18 | |
| ec-cube | ec-cube | 3.0.18 | |
| ec-cube | ec-cube | 4.0.6 | |
| ec-cube | ec-cube | 4.0.6 | |
| ec-cube | ec-cube | 4.0.6 | |
| ec-cube | ec-cube | 4.1.2 | |
| ec-cube | ec-cube | 4.1.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "82CF44DC-7824-4C6E-BA58-1B5C929EA7FF",
"versionEndIncluding": "3.0.18",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DD2386CF-AA07-447D-AEA2-7C8202844E3E",
"versionEndIncluding": "4.0.6",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2482369B-5D65-4C5C-BABE-40AE3ADF2DBE",
"versionEndIncluding": "4.1.2",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DADE1F31-F4D6-4324-9FF7-AB4C1110A85C",
"versionEndExcluding": "4.2.3",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:3.0.18:p1:*:*:*:*:*:*",
"matchCriteriaId": "10F6D9C1-B4F3-44D8-B266-787DA62228E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:3.0.18:p2:*:*:*:*:*:*",
"matchCriteriaId": "B10AA450-F786-4AFD-9F26-9B2E2D57C5C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:3.0.18:p3:*:*:*:*:*:*",
"matchCriteriaId": "8D30A28C-609A-4B6F-B257-7A577133A9FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:3.0.18:p4:*:*:*:*:*:*",
"matchCriteriaId": "7530D411-D883-48E4-8D3F-6E6AEF7398E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:3.0.18:p5:*:*:*:*:*:*",
"matchCriteriaId": "EC24B844-49C6-48EB-ADE1-4E8B2FA1B230",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:3.0.18:p6:*:*:*:*:*:*",
"matchCriteriaId": "173CA606-87CA-4DDE-AD20-3F0D0CC75BF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.0.6:p1:*:*:*:*:*:*",
"matchCriteriaId": "56A84599-1C39-4B65-8256-CE5DE240CF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.0.6:p2:*:*:*:*:*:*",
"matchCriteriaId": "EC0D4970-06C7-49D7-B249-7ECA1FCF770E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.0.6:p3:*:*:*:*:*:*",
"matchCriteriaId": "7C5C8CCA-12BA-4EE3-8B12-C3D82D89C886",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.1.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "77DCDC1E-072D-4859-AD9D-1F1547A5C7BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.1.2:p2:*:*:*:*:*:*",
"matchCriteriaId": "833340A1-0C34-4FE6-9820-CBCA7F3DC96C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege."
},
{
"lang": "es",
"value": "EC-CUBE series 3 (3.0.0 a 3.0.18-p6) y 4 (4.0.0 a 4.0.6-p3, 4.1.0 a 4.1.2-p2 y 4.2.0 a 4.2.2) contienen una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo arbitrario debido a una configuraci\u00f3n incorrecta del motor de plantillas Twig incluido en el producto. Como resultado, un usuario con privilegios administrativos puede ejecutar c\u00f3digo arbitrario en el servidor donde se ejecuta el producto."
}
],
"id": "CVE-2023-46845",
"lastModified": "2024-11-21T08:29:24.673",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-07T08:15:24.257",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN29195731/"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20231026/index.php"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20231026/index_3.php"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20231026/index_40.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN29195731/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20231026/index.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20231026/index_3.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20231026/index_40.php"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-40281
Vulnerability from fkie_nvd - Published: 2023-08-17 07:15 - Updated: 2024-11-21 08:19
Severity ?
Summary
EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page.
If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using the product.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN46993816/ | Third Party Advisory | |
| vultures@jpcert.or.jp | https://www.ec-cube.net/info/weakness/20230727/ | Mitigation, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN46993816/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.ec-cube.net/info/weakness/20230727/ | Mitigation, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "04878955-7CDF-41E3-9D15-EB0C32897503",
"versionEndIncluding": "2.11.5",
"versionStartIncluding": "2.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "829D5D2D-FC6C-409E-A172-FC5F3CF11313",
"versionEndIncluding": "2.12.6",
"versionStartIncluding": "2.12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F9750836-5979-4123-B62A-3423FB40F1C6",
"versionEndExcluding": "2.13.5",
"versionStartIncluding": "2.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8C35039E-3E0E-4D9B-9B3C-6FCBE4FA01FA",
"versionEndExcluding": "2.17.2",
"versionStartIncluding": "2.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:2.13.5:-:*:*:*:*:*:*",
"matchCriteriaId": "3C6F2E99-DBA6-4433-AD29-9D00EAAAA17B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:2.13.5:patch1:*:*:*:*:*:*",
"matchCriteriaId": "D3C5F732-C51A-4586-9C0E-7B88E23F23FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:2.17.2:-:*:*:*:*:*:*",
"matchCriteriaId": "5AB363C8-0F2E-466A-81D3-536592F4BEC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:2.17.2:patch1:*:*:*:*:*:*",
"matchCriteriaId": "B0B798E3-A599-49B8-A820-244EDD94B2C4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in \"mail/template\" and \"products/product\" of Management page.\r\nIf this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using the product."
}
],
"id": "CVE-2023-40281",
"lastModified": "2024-11-21T08:19:07.793",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-17T07:15:44.153",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN46993816/"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20230727/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN46993816/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20230727/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-22838
Vulnerability from fkie_nvd - Published: 2023-03-06 00:15 - Updated: 2024-11-21 07:45
Severity ?
Summary
Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN04785663/ | Third Party Advisory | |
| vultures@jpcert.or.jp | https://www.ec-cube.net/info/weakness/20230214/ | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN04785663/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.ec-cube.net/info/weakness/20230214/ | Patch, Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DD2386CF-AA07-447D-AEA2-7C8202844E3E",
"versionEndIncluding": "4.0.6",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2482369B-5D65-4C5C-BABE-40AE3ADF2DBE",
"versionEndIncluding": "4.1.2",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.0.6:p1:*:*:*:*:*:*",
"matchCriteriaId": "56A84599-1C39-4B65-8256-CE5DE240CF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.0.6:p2:*:*:*:*:*:*",
"matchCriteriaId": "EC0D4970-06C7-49D7-B249-7ECA1FCF770E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.1.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "77DCDC1E-072D-4859-AD9D-1F1547A5C7BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "899A469F-AECA-4B58-9287-1FBFBF663B87",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script."
}
],
"id": "CVE-2023-22838",
"lastModified": "2024-11-21T07:45:29.713",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-06T00:15:10.830",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN04785663/"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20230214/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN04785663/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20230214/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-25077
Vulnerability from fkie_nvd - Published: 2023-03-06 00:15 - Updated: 2024-11-21 07:49
Severity ?
Summary
Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN04785663/ | Third Party Advisory | |
| vultures@jpcert.or.jp | https://www.ec-cube.net/info/weakness/20230214/ | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN04785663/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.ec-cube.net/info/weakness/20230214/ | Patch, Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DD2386CF-AA07-447D-AEA2-7C8202844E3E",
"versionEndIncluding": "4.0.6",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2482369B-5D65-4C5C-BABE-40AE3ADF2DBE",
"versionEndIncluding": "4.1.2",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.0.6:p1:*:*:*:*:*:*",
"matchCriteriaId": "56A84599-1C39-4B65-8256-CE5DE240CF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.0.6:p2:*:*:*:*:*:*",
"matchCriteriaId": "EC0D4970-06C7-49D7-B249-7ECA1FCF770E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.1.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "77DCDC1E-072D-4859-AD9D-1F1547A5C7BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "899A469F-AECA-4B58-9287-1FBFBF663B87",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script."
}
],
"id": "CVE-2023-25077",
"lastModified": "2024-11-21T07:49:03.640",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-06T00:15:10.900",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN04785663/"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20230214/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN04785663/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20230214/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-22438
Vulnerability from fkie_nvd - Published: 2023-03-06 00:15 - Updated: 2025-03-07 22:15
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN04785663/ | Third Party Advisory | |
| vultures@jpcert.or.jp | https://www.ec-cube.net/info/weakness/20230214/ | Patch, Release Notes, Vendor Advisory | |
| vultures@jpcert.or.jp | https://www.ec-cube.net/info/weakness/20230214/index_2.php | Patch, Release Notes, Vendor Advisory | |
| vultures@jpcert.or.jp | https://www.ec-cube.net/info/weakness/20230214/index_3.php | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN04785663/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.ec-cube.net/info/weakness/20230214/ | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.ec-cube.net/info/weakness/20230214/index_2.php | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.ec-cube.net/info/weakness/20230214/index_3.php | Patch, Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ec-cube | ec-cube | * | |
| ec-cube | ec-cube | * | |
| ec-cube | ec-cube | * | |
| ec-cube | ec-cube | * | |
| ec-cube | ec-cube | * | |
| ec-cube | ec-cube | * | |
| ec-cube | ec-cube | * | |
| ec-cube | ec-cube | 3.0.18 | |
| ec-cube | ec-cube | 3.0.18 | |
| ec-cube | ec-cube | 3.0.18 | |
| ec-cube | ec-cube | 3.0.18 | |
| ec-cube | ec-cube | 3.0.18 | |
| ec-cube | ec-cube | 4.0.6 | |
| ec-cube | ec-cube | 4.0.6 | |
| ec-cube | ec-cube | 4.1.2 | |
| ec-cube | ec-cube | 4.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "04878955-7CDF-41E3-9D15-EB0C32897503",
"versionEndIncluding": "2.11.5",
"versionStartIncluding": "2.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "829D5D2D-FC6C-409E-A172-FC5F3CF11313",
"versionEndIncluding": "2.12.6",
"versionStartIncluding": "2.12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22BD79CE-BC60-4D68-9CA9-A907C6A0683D",
"versionEndIncluding": "2.13.5",
"versionStartIncluding": "2.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "271FDC56-FD41-440F-9676-2B6814DEC48A",
"versionEndIncluding": "2.17.2",
"versionStartIncluding": "2.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "82CF44DC-7824-4C6E-BA58-1B5C929EA7FF",
"versionEndIncluding": "3.0.18",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DD2386CF-AA07-447D-AEA2-7C8202844E3E",
"versionEndIncluding": "4.0.6",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2482369B-5D65-4C5C-BABE-40AE3ADF2DBE",
"versionEndIncluding": "4.1.2",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:3.0.18:p1:*:*:*:*:*:*",
"matchCriteriaId": "10F6D9C1-B4F3-44D8-B266-787DA62228E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:3.0.18:p2:*:*:*:*:*:*",
"matchCriteriaId": "B10AA450-F786-4AFD-9F26-9B2E2D57C5C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:3.0.18:p3:*:*:*:*:*:*",
"matchCriteriaId": "8D30A28C-609A-4B6F-B257-7A577133A9FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:3.0.18:p4:*:*:*:*:*:*",
"matchCriteriaId": "7530D411-D883-48E4-8D3F-6E6AEF7398E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:3.0.18:p5:*:*:*:*:*:*",
"matchCriteriaId": "EC24B844-49C6-48EB-ADE1-4E8B2FA1B230",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.0.6:p1:*:*:*:*:*:*",
"matchCriteriaId": "56A84599-1C39-4B65-8256-CE5DE240CF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.0.6:p2:*:*:*:*:*:*",
"matchCriteriaId": "EC0D4970-06C7-49D7-B249-7ECA1FCF770E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.1.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "77DCDC1E-072D-4859-AD9D-1F1547A5C7BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "899A469F-AECA-4B58-9287-1FBFBF663B87",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script."
}
],
"id": "CVE-2023-22438",
"lastModified": "2025-03-07T22:15:37.427",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-03-06T00:15:10.767",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN04785663/"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20230214/"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20230214/index_2.php"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20230214/index_3.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN04785663/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20230214/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20230214/index_2.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20230214/index_3.php"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-40199
Vulnerability from fkie_nvd - Published: 2022-09-27 23:15 - Updated: 2025-05-21 19:16
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Summary
Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product's directory structure information.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN21213852/index.html | Third Party Advisory | |
| vultures@jpcert.or.jp | https://www.ec-cube.net/info/weakness/20220909/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN21213852/index.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.ec-cube.net/info/weakness/20220909/ | Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5CB1CDC4-2EB3-4003-B9C2-A2B0819685C4",
"versionEndExcluding": "3.0.18",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D8AAB855-540E-4D14-9BDD-AA377E0EB91A",
"versionEndIncluding": "4.1.2",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:3.0.18:-:*:*:*:*:*:*",
"matchCriteriaId": "8D6A3FBD-7161-461D-B165-E3BCA42BBB2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:3.0.18:p1:*:*:*:*:*:*",
"matchCriteriaId": "10F6D9C1-B4F3-44D8-B266-787DA62228E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:3.0.18:p2:*:*:*:*:*:*",
"matchCriteriaId": "B10AA450-F786-4AFD-9F26-9B2E2D57C5C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:3.0.18:p3:*:*:*:*:*:*",
"matchCriteriaId": "8D30A28C-609A-4B6F-B257-7A577133A9FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:3.0.18:p4:*:*:*:*:*:*",
"matchCriteriaId": "7530D411-D883-48E4-8D3F-6E6AEF7398E8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product\u0027s directory structure information."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Salto de Directorio en las series EC-CUBE 3 (EC-CUBE versiones 3.0.0 a 3.0.18-p4 ) y EC-CUBE 4 (EC-CUBE versiones 4.0.0 a 4.1.2) permite a un atacante remoto autenticado con privilegio administrativo obtener la informaci\u00f3n de la estructura de directorios del producto"
}
],
"id": "CVE-2022-40199",
"lastModified": "2025-05-21T19:16:00.597",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-09-27T23:15:16.207",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN21213852/index.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20220909/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN21213852/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20220909/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-38975
Vulnerability from fkie_nvd - Published: 2022-09-27 23:15 - Updated: 2025-05-21 19:15
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN21213852/index.html | Third Party Advisory | |
| vultures@jpcert.or.jp | https://www.ec-cube.net/info/weakness/20220909/ | Not Applicable, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN21213852/index.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.ec-cube.net/info/weakness/20220909/ | Not Applicable, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D8AAB855-540E-4D14-9BDD-AA377E0EB91A",
"versionEndIncluding": "4.1.2",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross-site scripting basada en DOM en la serie EC-CUBE 4 (EC-CUBE versiones 4.0.0 a 4.1.2) permite a un atacante remoto inyectar un script arbitrario al hacer a un usuario administrativo del producto visitar una p\u00e1gina especialmente dise\u00f1ada"
}
],
"id": "CVE-2022-38975",
"lastModified": "2025-05-21T19:15:57.247",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-09-27T23:15:15.300",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN21213852/index.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Not Applicable",
"Patch",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20220909/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN21213852/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable",
"Patch",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20220909/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-25355
Vulnerability from fkie_nvd - Published: 2022-02-24 15:15 - Updated: 2024-11-21 06:52
Severity ?
Summary
EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN53871926/index.html | Third Party Advisory | |
| vultures@jpcert.or.jp | https://www.ec-cube.net/info/weakness/20220221/ | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN53871926/index.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.ec-cube.net/info/weakness/20220221/ | Mitigation, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5CB1CDC4-2EB3-4003-B9C2-A2B0819685C4",
"versionEndExcluding": "3.0.18",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5C0209A3-AECC-4511-AE7A-9D238C3A24B1",
"versionEndIncluding": "4.1.1",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:3.0.18:-:*:*:*:*:*:*",
"matchCriteriaId": "8D6A3FBD-7161-461D-B165-E3BCA42BBB2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:3.0.18:p1:*:*:*:*:*:*",
"matchCriteriaId": "10F6D9C1-B4F3-44D8-B266-787DA62228E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:3.0.18:p2:*:*:*:*:*:*",
"matchCriteriaId": "B10AA450-F786-4AFD-9F26-9B2E2D57C5C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:3.0.18:p3:*:*:*:*:*:*",
"matchCriteriaId": "8D30A28C-609A-4B6F-B257-7A577133A9FE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users."
},
{
"lang": "es",
"value": "EC-CUBE versiones 3.0.0 a 3.0.18-p3 y EC-CUBE versiones 4.0.0 a 4.1.1, manejan inapropiadamente los valores del encabezado HTTP Host, lo que puede conllevar a que un atacante remoto no autenticado dirija la versi\u00f3n vulnerable de EC-CUBE para enviar un correo electr\u00f3nico con alguna URL de reemisi\u00f3n de contrase\u00f1a falsificada a usuarios de EC-CUBE"
}
],
"id": "CVE-2022-25355",
"lastModified": "2024-11-21T06:52:03.767",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-24T15:15:31.490",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN53871926/index.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20220221/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN53871926/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20220221/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-913"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-20842
Vulnerability from fkie_nvd - Published: 2021-11-24 16:15 - Updated: 2024-11-21 05:47
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web page.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN75444925/index.html | Third Party Advisory | |
| vultures@jpcert.or.jp | https://www.ec-cube.net/info/weakness/20211111/ | Exploit, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN75444925/index.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.ec-cube.net/info/weakness/20211111/ | Exploit, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "509BCE34-2FA1-40D1-87A0-57E0E31D0DF3",
"versionEndIncluding": "2.17.1",
"versionStartIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web page."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site request forgery (CSRF) en EC-CUBE 2 series versiones 2.11.0 a 2.17.1 permite a un atacante remoto secuestrar la autenticaci\u00f3n del Administrador y eliminar el Administrador por medio de una p\u00e1gina web especialmente dise\u00f1ada"
}
],
"id": "CVE-2021-20842",
"lastModified": "2024-11-21T05:47:15.870",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-24T16:15:13.157",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN75444925/index.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20211111/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN75444925/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20211111/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-20841
Vulnerability from fkie_nvd - Published: 2021-11-24 16:15 - Updated: 2024-11-21 05:47
Severity ?
Summary
Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vectors.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN75444925/index.html | Third Party Advisory | |
| vultures@jpcert.or.jp | https://www.ec-cube.net/info/weakness/20211111/ | Exploit, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN75444925/index.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.ec-cube.net/info/weakness/20211111/ | Exploit, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46C6E563-677C-459E-A963-507EB880BE13",
"versionEndIncluding": "2.17.1",
"versionStartIncluding": "2.11.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vectors."
},
{
"lang": "es",
"value": "Un control de acceso inapropiado en la pantalla de administraci\u00f3n de EC-CUBE 2 series versiones 2.11.2 a 2.17.1 permite a un atacante remoto autenticado omitir la restricci\u00f3n de acceso y alterar la configuraci\u00f3n del sistema por medio de vectores no especificados"
}
],
"id": "CVE-2021-20841",
"lastModified": "2024-11-21T05:47:15.773",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-24T16:15:13.107",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN75444925/index.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20211111/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN75444925/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://www.ec-cube.net/info/weakness/20211111/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-46845 (GCVE-0-2023-46845)
Vulnerability from cvelistv5 – Published: 2023-11-07 07:39 – Updated: 2024-09-04 20:28
VLAI?
Summary
EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.
Severity ?
No CVSS data available.
CWE
- Code injection
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| EC-CUBE CO.,LTD. | EC-CUBE 4 series |
Affected:
4.0.0 to 4.0.6-p3
Affected: 4.1.0 to 4.1.2-p2 Affected: and 4.2.0 to 4.2.2 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:21.888Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20231026/index_40.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20231026/index.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20231026/index_3.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN29195731/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46845",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T20:27:53.327326Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T20:28:15.713Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EC-CUBE 4 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "4.0.0 to 4.0.6-p3"
},
{
"status": "affected",
"version": " 4.1.0 to 4.1.2-p2"
},
{
"status": "affected",
"version": " and 4.2.0 to 4.2.2"
}
]
},
{
"product": "EC-CUBE 3 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "3.0.0 to 3.0.18-p6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Code injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-07T07:39:57.896Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.ec-cube.net/info/weakness/20231026/index_40.php"
},
{
"url": "https://www.ec-cube.net/info/weakness/20231026/index.php"
},
{
"url": "https://www.ec-cube.net/info/weakness/20231026/index_3.php"
},
{
"url": "https://jvn.jp/en/jp/JVN29195731/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-46845",
"datePublished": "2023-11-07T07:39:57.896Z",
"dateReserved": "2023-10-27T08:05:25.926Z",
"dateUpdated": "2024-09-04T20:28:15.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40281 (GCVE-0-2023-40281)
Vulnerability from cvelistv5 – Published: 2023-08-17 06:37 – Updated: 2024-10-08 17:38
VLAI?
Summary
EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page.
If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using the product.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| EC-CUBE CO.,LTD. | EC-CUBE 2 series |
Affected:
2.11.0 to 2.17.2-p1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:31:53.206Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20230727/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN46993816/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ec-cube:ec-cube_2:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ec-cube_2",
"vendor": "ec-cube",
"versions": [
{
"lessThanOrEqual": "2.17.2-p1",
"status": "affected",
"version": "2.11.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40281",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T17:32:20.274466Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T17:38:02.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EC-CUBE 2 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "2.11.0 to 2.17.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in \"mail/template\" and \"products/product\" of Management page.\r\nIf this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-17T06:37:01.773Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.ec-cube.net/info/weakness/20230727/"
},
{
"url": "https://jvn.jp/en/jp/JVN46993816/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-40281",
"datePublished": "2023-08-17T06:37:01.773Z",
"dateReserved": "2023-08-14T00:40:59.318Z",
"dateUpdated": "2024-10-08T17:38:02.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25077 (GCVE-0-2023-25077)
Vulnerability from cvelistv5 – Published: 2023-03-05 00:00 – Updated: 2025-03-06 15:59
VLAI?
Summary
Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| EC-CUBE CO.,LTD. | EC-CUBE 4 series |
Affected:
EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:11:43.452Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20230214/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN04785663/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25077",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-06T15:59:18.281604Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-06T15:59:31.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EC-CUBE 4 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-05T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.ec-cube.net/info/weakness/20230214/"
},
{
"url": "https://jvn.jp/en/jp/JVN04785663/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-25077",
"datePublished": "2023-03-05T00:00:00.000Z",
"dateReserved": "2023-02-17T00:00:00.000Z",
"dateUpdated": "2025-03-06T15:59:31.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22838 (GCVE-0-2023-22838)
Vulnerability from cvelistv5 – Published: 2023-03-05 00:00 – Updated: 2025-03-06 16:02
VLAI?
Summary
Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| EC-CUBE CO.,LTD. | EC-CUBE 4 series |
Affected:
EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:20:31.054Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20230214/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN04785663/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22838",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-06T16:01:51.762350Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-06T16:02:05.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EC-CUBE 4 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-05T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.ec-cube.net/info/weakness/20230214/"
},
{
"url": "https://jvn.jp/en/jp/JVN04785663/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-22838",
"datePublished": "2023-03-05T00:00:00.000Z",
"dateReserved": "2023-02-17T00:00:00.000Z",
"dateUpdated": "2025-03-06T16:02:05.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22438 (GCVE-0-2023-22438)
Vulnerability from cvelistv5 – Published: 2023-03-05 00:00 – Updated: 2025-03-07 21:47
VLAI?
Summary
Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script.
Severity ?
5.4 (Medium)
CWE
- Cross-site scripting
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| EC-CUBE CO.,LTD. | EC-CUBE 4 series, EC-CUBE 3 series, and EC-CUBE 2 series |
Affected:
EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, EC-CUBE 4.2.0, EC-CUBE 3.0.0 to 3.0.18-p5, EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:06.585Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20230214/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20230214/index_3.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20230214/index_2.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN04785663/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-22438",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T21:46:40.424694Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T21:47:56.848Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EC-CUBE 4 series, EC-CUBE 3 series, and EC-CUBE 2 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, EC-CUBE 4.2.0, EC-CUBE 3.0.0 to 3.0.18-p5, EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-05T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.ec-cube.net/info/weakness/20230214/"
},
{
"url": "https://www.ec-cube.net/info/weakness/20230214/index_3.php"
},
{
"url": "https://www.ec-cube.net/info/weakness/20230214/index_2.php"
},
{
"url": "https://jvn.jp/en/jp/JVN04785663/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-22438",
"datePublished": "2023-03-05T00:00:00.000Z",
"dateReserved": "2022-12-28T00:00:00.000Z",
"dateUpdated": "2025-03-07T21:47:56.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40199 (GCVE-0-2022-40199)
Vulnerability from cvelistv5 – Published: 2022-09-27 01:55 – Updated: 2025-05-21 18:23
VLAI?
Summary
Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product's directory structure information.
Severity ?
CWE
- Directory traversal
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| EC-CUBE CO.,LTD. | EC-CUBE 3 series and EC-CUBE 4 series |
Affected:
EC-CUBE 3.0.0 to 3.0.18-p4 and EC-CUBE 4.0.0 to 4.1.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.950Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20220909/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN21213852/index.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-40199",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-21T18:22:17.185316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T18:23:18.170Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EC-CUBE 3 series and EC-CUBE 4 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "EC-CUBE 3.0.0 to 3.0.18-p4 and EC-CUBE 4.0.0 to 4.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product\u0027s directory structure information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Directory traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-27T01:55:17.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ec-cube.net/info/weakness/20220909/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN21213852/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-40199",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "EC-CUBE 3 series and EC-CUBE 4 series",
"version": {
"version_data": [
{
"version_value": "EC-CUBE 3.0.0 to 3.0.18-p4 and EC-CUBE 4.0.0 to 4.1.2"
}
]
}
}
]
},
"vendor_name": "EC-CUBE CO.,LTD."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product\u0027s directory structure information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Directory traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ec-cube.net/info/weakness/20220909/",
"refsource": "MISC",
"url": "https://www.ec-cube.net/info/weakness/20220909/"
},
{
"name": "https://jvn.jp/en/jp/JVN21213852/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN21213852/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-40199",
"datePublished": "2022-09-27T01:55:17.000Z",
"dateReserved": "2022-09-09T00:00:00.000Z",
"dateUpdated": "2025-05-21T18:23:18.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-38975 (GCVE-0-2022-38975)
Vulnerability from cvelistv5 – Published: 2022-09-27 01:55 – Updated: 2025-05-21 18:24
VLAI?
Summary
DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page.
Severity ?
5.4 (Medium)
CWE
- Cross-site scripting
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| EC-CUBE CO.,LTD. | EC-CUBE 4 series |
Affected:
EC-CUBE 4.0.0 to 4.1.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T11:10:32.098Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20220909/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN21213852/index.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-38975",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-21T18:23:58.811469Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T18:24:22.908Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EC-CUBE 4 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "EC-CUBE 4.0.0 to 4.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-27T01:55:16.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ec-cube.net/info/weakness/20220909/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN21213852/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-38975",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "EC-CUBE 4 series",
"version": {
"version_data": [
{
"version_value": "EC-CUBE 4.0.0 to 4.1.2"
}
]
}
}
]
},
"vendor_name": "EC-CUBE CO.,LTD."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ec-cube.net/info/weakness/20220909/",
"refsource": "MISC",
"url": "https://www.ec-cube.net/info/weakness/20220909/"
},
{
"name": "https://jvn.jp/en/jp/JVN21213852/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN21213852/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-38975",
"datePublished": "2022-09-27T01:55:16.000Z",
"dateReserved": "2022-09-09T00:00:00.000Z",
"dateUpdated": "2025-05-21T18:24:22.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25355 (GCVE-0-2022-25355)
Vulnerability from cvelistv5 – Published: 2022-02-24 09:50 – Updated: 2024-08-03 04:36
VLAI?
Summary
EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users.
Severity ?
No CVSS data available.
CWE
- Improper Control of Dynamically-Managed Code Resources
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| EC-CUBE CO.,LTD. | EC-CUBE 3 series and EC-CUBE 4 series |
Affected:
EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:36:07.005Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20220221/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN53871926/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "EC-CUBE 3 series and EC-CUBE 4 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-24T09:50:35",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ec-cube.net/info/weakness/20220221/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN53871926/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-25355",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "EC-CUBE 3 series and EC-CUBE 4 series",
"version": {
"version_data": [
{
"version_value": "EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1"
}
]
}
}
]
},
"vendor_name": "EC-CUBE CO.,LTD."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Control of Dynamically-Managed Code Resources"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ec-cube.net/info/weakness/20220221/",
"refsource": "MISC",
"url": "https://www.ec-cube.net/info/weakness/20220221/"
},
{
"name": "https://jvn.jp/en/jp/JVN53871926/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN53871926/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-25355",
"datePublished": "2022-02-24T09:50:35",
"dateReserved": "2022-02-20T00:00:00",
"dateUpdated": "2024-08-03T04:36:07.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20842 (GCVE-0-2021-20842)
Vulnerability from cvelistv5 – Published: 2021-11-24 08:25 – Updated: 2024-08-03 17:53
VLAI?
Summary
Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web page.
Severity ?
No CVSS data available.
CWE
- Cross-site request forgery
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| EC-CUBE CO.,LTD. | EC-CUBE 2 series |
Affected:
2.11.0 to 2.17.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:22.672Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20211111/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN75444925/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "EC-CUBE 2 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "2.11.0 to 2.17.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site request forgery",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-24T08:25:42",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ec-cube.net/info/weakness/20211111/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN75444925/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20842",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "EC-CUBE 2 series",
"version": {
"version_data": [
{
"version_value": "2.11.0 to 2.17.1"
}
]
}
}
]
},
"vendor_name": "EC-CUBE CO.,LTD."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site request forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ec-cube.net/info/weakness/20211111/",
"refsource": "MISC",
"url": "https://www.ec-cube.net/info/weakness/20211111/"
},
{
"name": "https://jvn.jp/en/jp/JVN75444925/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN75444925/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20842",
"datePublished": "2021-11-24T08:25:42",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:53:22.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20841 (GCVE-0-2021-20841)
Vulnerability from cvelistv5 – Published: 2021-11-24 08:25 – Updated: 2024-08-03 17:53
VLAI?
Summary
Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- Fails to restrict access
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| EC-CUBE CO.,LTD. | EC-CUBE 2 series |
Affected:
2.11.2 to 2.17.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:22.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20211111/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN75444925/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "EC-CUBE 2 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "2.11.2 to 2.17.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Fails to restrict access",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-24T08:25:41",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ec-cube.net/info/weakness/20211111/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN75444925/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20841",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "EC-CUBE 2 series",
"version": {
"version_data": [
{
"version_value": "2.11.2 to 2.17.1"
}
]
}
}
]
},
"vendor_name": "EC-CUBE CO.,LTD."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Fails to restrict access"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ec-cube.net/info/weakness/20211111/",
"refsource": "MISC",
"url": "https://www.ec-cube.net/info/weakness/20211111/"
},
{
"name": "https://jvn.jp/en/jp/JVN75444925/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN75444925/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20841",
"datePublished": "2021-11-24T08:25:41",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:53:22.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46845 (GCVE-0-2023-46845)
Vulnerability from nvd – Published: 2023-11-07 07:39 – Updated: 2024-09-04 20:28
VLAI?
Summary
EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.
Severity ?
No CVSS data available.
CWE
- Code injection
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| EC-CUBE CO.,LTD. | EC-CUBE 4 series |
Affected:
4.0.0 to 4.0.6-p3
Affected: 4.1.0 to 4.1.2-p2 Affected: and 4.2.0 to 4.2.2 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:21.888Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20231026/index_40.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20231026/index.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20231026/index_3.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN29195731/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46845",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T20:27:53.327326Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T20:28:15.713Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EC-CUBE 4 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "4.0.0 to 4.0.6-p3"
},
{
"status": "affected",
"version": " 4.1.0 to 4.1.2-p2"
},
{
"status": "affected",
"version": " and 4.2.0 to 4.2.2"
}
]
},
{
"product": "EC-CUBE 3 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "3.0.0 to 3.0.18-p6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Code injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-07T07:39:57.896Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.ec-cube.net/info/weakness/20231026/index_40.php"
},
{
"url": "https://www.ec-cube.net/info/weakness/20231026/index.php"
},
{
"url": "https://www.ec-cube.net/info/weakness/20231026/index_3.php"
},
{
"url": "https://jvn.jp/en/jp/JVN29195731/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-46845",
"datePublished": "2023-11-07T07:39:57.896Z",
"dateReserved": "2023-10-27T08:05:25.926Z",
"dateUpdated": "2024-09-04T20:28:15.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40281 (GCVE-0-2023-40281)
Vulnerability from nvd – Published: 2023-08-17 06:37 – Updated: 2024-10-08 17:38
VLAI?
Summary
EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page.
If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using the product.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| EC-CUBE CO.,LTD. | EC-CUBE 2 series |
Affected:
2.11.0 to 2.17.2-p1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:31:53.206Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20230727/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN46993816/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ec-cube:ec-cube_2:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ec-cube_2",
"vendor": "ec-cube",
"versions": [
{
"lessThanOrEqual": "2.17.2-p1",
"status": "affected",
"version": "2.11.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40281",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T17:32:20.274466Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T17:38:02.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EC-CUBE 2 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "2.11.0 to 2.17.2-p1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in \"mail/template\" and \"products/product\" of Management page.\r\nIf this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-17T06:37:01.773Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.ec-cube.net/info/weakness/20230727/"
},
{
"url": "https://jvn.jp/en/jp/JVN46993816/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-40281",
"datePublished": "2023-08-17T06:37:01.773Z",
"dateReserved": "2023-08-14T00:40:59.318Z",
"dateUpdated": "2024-10-08T17:38:02.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25077 (GCVE-0-2023-25077)
Vulnerability from nvd – Published: 2023-03-05 00:00 – Updated: 2025-03-06 15:59
VLAI?
Summary
Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| EC-CUBE CO.,LTD. | EC-CUBE 4 series |
Affected:
EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:11:43.452Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20230214/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN04785663/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25077",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-06T15:59:18.281604Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-06T15:59:31.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EC-CUBE 4 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-05T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.ec-cube.net/info/weakness/20230214/"
},
{
"url": "https://jvn.jp/en/jp/JVN04785663/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-25077",
"datePublished": "2023-03-05T00:00:00.000Z",
"dateReserved": "2023-02-17T00:00:00.000Z",
"dateUpdated": "2025-03-06T15:59:31.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22838 (GCVE-0-2023-22838)
Vulnerability from nvd – Published: 2023-03-05 00:00 – Updated: 2025-03-06 16:02
VLAI?
Summary
Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| EC-CUBE CO.,LTD. | EC-CUBE 4 series |
Affected:
EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:20:31.054Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20230214/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN04785663/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22838",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-06T16:01:51.762350Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-06T16:02:05.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EC-CUBE 4 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-05T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.ec-cube.net/info/weakness/20230214/"
},
{
"url": "https://jvn.jp/en/jp/JVN04785663/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-22838",
"datePublished": "2023-03-05T00:00:00.000Z",
"dateReserved": "2023-02-17T00:00:00.000Z",
"dateUpdated": "2025-03-06T16:02:05.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22438 (GCVE-0-2023-22438)
Vulnerability from nvd – Published: 2023-03-05 00:00 – Updated: 2025-03-07 21:47
VLAI?
Summary
Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script.
Severity ?
5.4 (Medium)
CWE
- Cross-site scripting
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| EC-CUBE CO.,LTD. | EC-CUBE 4 series, EC-CUBE 3 series, and EC-CUBE 2 series |
Affected:
EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, EC-CUBE 4.2.0, EC-CUBE 3.0.0 to 3.0.18-p5, EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:06.585Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20230214/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20230214/index_3.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20230214/index_2.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN04785663/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-22438",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T21:46:40.424694Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T21:47:56.848Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EC-CUBE 4 series, EC-CUBE 3 series, and EC-CUBE 2 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, EC-CUBE 4.2.0, EC-CUBE 3.0.0 to 3.0.18-p5, EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-05T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.ec-cube.net/info/weakness/20230214/"
},
{
"url": "https://www.ec-cube.net/info/weakness/20230214/index_3.php"
},
{
"url": "https://www.ec-cube.net/info/weakness/20230214/index_2.php"
},
{
"url": "https://jvn.jp/en/jp/JVN04785663/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-22438",
"datePublished": "2023-03-05T00:00:00.000Z",
"dateReserved": "2022-12-28T00:00:00.000Z",
"dateUpdated": "2025-03-07T21:47:56.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40199 (GCVE-0-2022-40199)
Vulnerability from nvd – Published: 2022-09-27 01:55 – Updated: 2025-05-21 18:23
VLAI?
Summary
Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product's directory structure information.
Severity ?
CWE
- Directory traversal
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| EC-CUBE CO.,LTD. | EC-CUBE 3 series and EC-CUBE 4 series |
Affected:
EC-CUBE 3.0.0 to 3.0.18-p4 and EC-CUBE 4.0.0 to 4.1.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.950Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20220909/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN21213852/index.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-40199",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-21T18:22:17.185316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T18:23:18.170Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EC-CUBE 3 series and EC-CUBE 4 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "EC-CUBE 3.0.0 to 3.0.18-p4 and EC-CUBE 4.0.0 to 4.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product\u0027s directory structure information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Directory traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-27T01:55:17.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ec-cube.net/info/weakness/20220909/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN21213852/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-40199",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "EC-CUBE 3 series and EC-CUBE 4 series",
"version": {
"version_data": [
{
"version_value": "EC-CUBE 3.0.0 to 3.0.18-p4 and EC-CUBE 4.0.0 to 4.1.2"
}
]
}
}
]
},
"vendor_name": "EC-CUBE CO.,LTD."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product\u0027s directory structure information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Directory traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ec-cube.net/info/weakness/20220909/",
"refsource": "MISC",
"url": "https://www.ec-cube.net/info/weakness/20220909/"
},
{
"name": "https://jvn.jp/en/jp/JVN21213852/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN21213852/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-40199",
"datePublished": "2022-09-27T01:55:17.000Z",
"dateReserved": "2022-09-09T00:00:00.000Z",
"dateUpdated": "2025-05-21T18:23:18.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-38975 (GCVE-0-2022-38975)
Vulnerability from nvd – Published: 2022-09-27 01:55 – Updated: 2025-05-21 18:24
VLAI?
Summary
DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page.
Severity ?
5.4 (Medium)
CWE
- Cross-site scripting
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| EC-CUBE CO.,LTD. | EC-CUBE 4 series |
Affected:
EC-CUBE 4.0.0 to 4.1.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T11:10:32.098Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20220909/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN21213852/index.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-38975",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-21T18:23:58.811469Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T18:24:22.908Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EC-CUBE 4 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "EC-CUBE 4.0.0 to 4.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-27T01:55:16.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ec-cube.net/info/weakness/20220909/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN21213852/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-38975",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "EC-CUBE 4 series",
"version": {
"version_data": [
{
"version_value": "EC-CUBE 4.0.0 to 4.1.2"
}
]
}
}
]
},
"vendor_name": "EC-CUBE CO.,LTD."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ec-cube.net/info/weakness/20220909/",
"refsource": "MISC",
"url": "https://www.ec-cube.net/info/weakness/20220909/"
},
{
"name": "https://jvn.jp/en/jp/JVN21213852/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN21213852/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-38975",
"datePublished": "2022-09-27T01:55:16.000Z",
"dateReserved": "2022-09-09T00:00:00.000Z",
"dateUpdated": "2025-05-21T18:24:22.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25355 (GCVE-0-2022-25355)
Vulnerability from nvd – Published: 2022-02-24 09:50 – Updated: 2024-08-03 04:36
VLAI?
Summary
EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users.
Severity ?
No CVSS data available.
CWE
- Improper Control of Dynamically-Managed Code Resources
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| EC-CUBE CO.,LTD. | EC-CUBE 3 series and EC-CUBE 4 series |
Affected:
EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:36:07.005Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20220221/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN53871926/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "EC-CUBE 3 series and EC-CUBE 4 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-24T09:50:35",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ec-cube.net/info/weakness/20220221/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN53871926/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-25355",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "EC-CUBE 3 series and EC-CUBE 4 series",
"version": {
"version_data": [
{
"version_value": "EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1"
}
]
}
}
]
},
"vendor_name": "EC-CUBE CO.,LTD."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Control of Dynamically-Managed Code Resources"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ec-cube.net/info/weakness/20220221/",
"refsource": "MISC",
"url": "https://www.ec-cube.net/info/weakness/20220221/"
},
{
"name": "https://jvn.jp/en/jp/JVN53871926/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN53871926/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-25355",
"datePublished": "2022-02-24T09:50:35",
"dateReserved": "2022-02-20T00:00:00",
"dateUpdated": "2024-08-03T04:36:07.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20842 (GCVE-0-2021-20842)
Vulnerability from nvd – Published: 2021-11-24 08:25 – Updated: 2024-08-03 17:53
VLAI?
Summary
Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web page.
Severity ?
No CVSS data available.
CWE
- Cross-site request forgery
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| EC-CUBE CO.,LTD. | EC-CUBE 2 series |
Affected:
2.11.0 to 2.17.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:22.672Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20211111/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN75444925/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "EC-CUBE 2 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "2.11.0 to 2.17.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site request forgery",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-24T08:25:42",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ec-cube.net/info/weakness/20211111/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN75444925/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20842",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "EC-CUBE 2 series",
"version": {
"version_data": [
{
"version_value": "2.11.0 to 2.17.1"
}
]
}
}
]
},
"vendor_name": "EC-CUBE CO.,LTD."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site request forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ec-cube.net/info/weakness/20211111/",
"refsource": "MISC",
"url": "https://www.ec-cube.net/info/weakness/20211111/"
},
{
"name": "https://jvn.jp/en/jp/JVN75444925/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN75444925/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20842",
"datePublished": "2021-11-24T08:25:42",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:53:22.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20841 (GCVE-0-2021-20841)
Vulnerability from nvd – Published: 2021-11-24 08:25 – Updated: 2024-08-03 17:53
VLAI?
Summary
Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- Fails to restrict access
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| EC-CUBE CO.,LTD. | EC-CUBE 2 series |
Affected:
2.11.2 to 2.17.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:22.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.ec-cube.net/info/weakness/20211111/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN75444925/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "EC-CUBE 2 series",
"vendor": "EC-CUBE CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "2.11.2 to 2.17.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Fails to restrict access",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-24T08:25:41",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ec-cube.net/info/weakness/20211111/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN75444925/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20841",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "EC-CUBE 2 series",
"version": {
"version_data": [
{
"version_value": "2.11.2 to 2.17.1"
}
]
}
}
]
},
"vendor_name": "EC-CUBE CO.,LTD."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Fails to restrict access"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ec-cube.net/info/weakness/20211111/",
"refsource": "MISC",
"url": "https://www.ec-cube.net/info/weakness/20211111/"
},
{
"name": "https://jvn.jp/en/jp/JVN75444925/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN75444925/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20841",
"datePublished": "2021-11-24T08:25:41",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:53:22.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}