jvndb - jvndb-2024-000080

jvndb-2024-000080

Vulnerability from jvndb

Published

2024-07-30 13:56

Modified

2024-07-30 13:56

Severity

6.8 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

Summary

EC-CUBE 4 Series improper input validation when installing plugins

Details

EC-CUBE 4 series provided by EC-CUBE CO.,LTD improperly validates inputs when installing plugins (CWE-349). EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning Partnership.

References

Type	URL
JVN	https://jvn.jp/en/jp/JVN48324254/index.html
CVE	https://www.cve.org/CVERecord?id=CVE-2024-41924
No Mapping(CWE-Other)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor	Product
EC-CUBE CO.,LTD.	EC-CUBE

Show details on JVN DB website

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000080.html",
  "dc:date": "2024-07-30T13:56+09:00",
  "dcterms:issued": "2024-07-30T13:56+09:00",
  "dcterms:modified": "2024-07-30T13:56+09:00",
  "description": "EC-CUBE 4 series provided by EC-CUBE CO.,LTD improperly validates inputs when installing plugins (CWE-349).\r\n\r\nEC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000080.html",
  "sec:cpe": {
    "#text": "cpe:/a:ec-cube:ec-cube",
    "@product": "EC-CUBE",
    "@vendor": "EC-CUBE CO.,LTD.",
    "@version": "2.2"
  },
  "sec:cvss": {
    "@score": "6.8",
    "@severity": "Medium",
    "@type": "Base",
    "@vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
    "@version": "3.0"
  },
  "sec:identifier": "JVNDB-2024-000080",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN48324254/index.html",
      "@id": "JVN#48324254",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-41924",
      "@id": "CVE-2024-41924",
      "@source": "CVE"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-Other",
      "@title": "No Mapping(CWE-Other)"
    }
  ],
  "title": "EC-CUBE 4 Series improper input validation when installing plugins"
}

cve-2024-41924

Vulnerability from cvelistv5

Published

2024-07-30 08:45

Modified

2024-08-02 04:54

Severity

7.2 (High) - cvssV3_1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

Acceptance of extraneous untrusted data with trusted data vulnerability exists in EC-CUBE 4 series. If this vulnerability is exploited, an attacker who obtained the administrative privilege may install an arbitrary PHP package. If the obsolete versions of PHP packages are installed, the product may be affected by some known vulnerabilities.

References

URL	Tags
https://www.ec-cube.net/info/weakness/20240701/index.php
https://jvn.jp/en/jp/JVN48324254/

Impacted products

Vendor	Product
EC-CUBE CO.,LTD.	EC-CUBE 4 series

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:ec-cube:ec-cube:4.0.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ec-cube",
            "vendor": "ec-cube",
            "versions": [
              {
                "lessThanOrEqual": "4.0.6-p4",
                "status": "affected",
                "version": "4.0.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:ec-cube:ec-cube:4.1.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ec-cube",
            "vendor": "ec-cube",
            "versions": [
              {
                "lessThanOrEqual": "4.1.2-p3",
                "status": "affected",
                "version": "4.1.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:ec-cube:ec-cube:4.2.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ec-cube",
            "vendor": "ec-cube",
            "versions": [
              {
                "lessThanOrEqual": "4.2.3",
                "status": "affected",
                "version": "4.2.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.2,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-41924",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-30T15:09:19.816048Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-30T15:13:11.505Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:54:31.275Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.ec-cube.net/info/weakness/20240701/index.php"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN48324254/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "EC-CUBE 4 series",
          "vendor": "EC-CUBE CO.,LTD.",
          "versions": [
            {
              "status": "affected",
              "version": "4.0.0 to 4.0.6-p4"
            },
            {
              "status": "affected",
              "version": "4.1.0 to 4.1.2-p3"
            },
            {
              "status": "affected",
              "version": "and 4.2.0 to 4.2.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Acceptance of extraneous untrusted data with trusted data vulnerability exists in EC-CUBE 4 series. If this vulnerability is exploited, an attacker who obtained the administrative privilege may install an arbitrary PHP package. If the obsolete versions of PHP packages are installed, the product may be affected by some known vulnerabilities."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Acceptance of extraneous untrusted data with trusted data",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-30T08:45:48.496Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://www.ec-cube.net/info/weakness/20240701/index.php"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN48324254/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2024-41924",
    "datePublished": "2024-07-30T08:45:48.496Z",
    "dateReserved": "2024-07-24T06:07:32.248Z",
    "dateUpdated": "2024-08-02T04:54:31.275Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.