JVN#15637138: EC-Orange vulnerable to authorization bypass

2024-05-2900:00:00

Japan Vulnerability Notes

jvn.jp

ec-orange

s-cubism inc.

e-commerce system

authorization bypass

cwe-639

ec-cube

vulnerability

http request

software update

patch

information disclosure

systems deployment date.

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

6.7 Medium

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

79.3%

JSON

EC-Orange provided by S-cubism Inc. is an e-commerce website building system package based on an open source software EC-CUBE.
EC-Orange contains an authorization bypass vulnerability (CWE-639).
This is the same issue as JVN#51770585 (EC-CUBE vulnerable to authorization bypass).

Impact

A user of the affected shopping website may obtain other users’ information by sending a crafted HTTP request.

Solution

Update the Software or Apply the Patch
Update the software to the latest version or apply the patch according to the information provided by the developer.
For the systems deployed after June 29th, 2015, the issue has been already resolved.