JVN#21213852: Multiple vulnerabilities in EC-CUBE

2022-09-1500:00:00

Japan Vulnerability Notes

jvn.jp

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

40.6%

JSON

EC-CUBE provided by EC-CUBE CO.,LTD. contains multiple vulnerabilities listed below.

Directory traversal vulnerability (CWE-22) - CVE-2022-40199

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N	Base Score: 2.7
CVSS v2	AV:N/AC:L/Au:S/C:P/I:N/A:N	Base Score: 4.0

DOM-based cross-site scripting vulnerability (CWE-79) - CVE-2022-38975

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

Impact

A remote attacker who can log in to the product may obtain the product’s directory structure information - CVE-2022-40199
If a remote attacker leads an administrator of the product to a specially crafted page and to perform a specific operation, an arbitrary script may be executed on the administrator’s web browser - CVE-2022-38975

Solution

Update the software
An update is available for EC-CUBE 4 series.
Update to the latest version according to the information provided by the developer.
For EC-CUBE 3 series, there is no update but a patch is available.

Apply the patch
Patches are available for both EC-CUBE 3 and EC-CUBE 4 series.
For more information, refer to the information provided by the developer.