Lucene search

K
cve[email protected]CVE-2023-46845
HistoryNov 07, 2023 - 8:15 a.m.

CVE-2023-46845

2023-11-0708:15:24
CWE-94
web.nvd.nist.gov
10
ec-cube
arbitrary code execution
twig
cve-2023-46845
security vulnerability
nvd

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

44.5%

EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.

Affected configurations

Vulners
NVD
Node
c-cubeec-cube_4_seriesRange4.0.04.0.6-p3
OR
c-cubeec-cube_4_seriesRange4.1.04.1.2-p2
OR
c-cubeec-cube_4_seriesRange4.2.04.2.2
OR
c-cubeec-cube_3_seriesRange3.0.03.0.18-p6

CNA Affected

[
  {
    "vendor": "EC-CUBE CO.,LTD.",
    "product": "EC-CUBE 4 series",
    "versions": [
      {
        "version": "4.0.0 to 4.0.6-p3",
        "status": "affected"
      },
      {
        "version": " 4.1.0 to 4.1.2-p2",
        "status": "affected"
      },
      {
        "version": " and 4.2.0 to 4.2.2",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "EC-CUBE CO.,LTD.",
    "product": "EC-CUBE 3 series",
    "versions": [
      {
        "version": "3.0.0 to 3.0.18-p6",
        "status": "affected"
      }
    ]
  }
]

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

44.5%

Related for CVE-2023-46845