CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
38.6%
EC-CUBE provided by EC-CUBE CO.,LTD. contains multiple cross-site scripting vulnerabilities listed below.
Cross-site scripting vulnerability in Contents Management (CWE-79) - CVE-2023-22438
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Base Score: 5.4 |
CVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | Base Score: 3.5 |
Cross-site scripting vulnerability in Authentication Key Settings (CWE-79) - CVE-2023-25077
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Base Score: 5.4 |
CVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | Base Score: 3.5 |
Cross-site scripting vulnerability in Product List Screen and Product Detail Screen (CWE-79) - CVE-2023-22838
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Base Score: 5.4 |
CVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | Base Score: 3.5 |
Update the software
Update the software according to the information provided by the developer.
The developer has released EC-CUBE 4.2.1 that addresses these vulnerabilities.
Apply the Workaround
If an update cannot be applied, the developer recommends users applying the patches.
For more information, refer to the information provided by the developer.
CVE-2023-22438
EC-CUBE 4 series
EC-CUBE 3 series
EC-CUBE 2 series
EC-CUBE 4 series