JVN#52695336: EC-CUBE vulnerable to session fixation

2018-04-17T00:00:00
ID JVN:52695336
Type jvn
Reporter Japan Vulnerability Notes
Modified 2018-04-17T00:00:00

Description

## Description

EC-CUBE provided by LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a session fixation vulnerability (CWE-384).

## Impact

A remote attacker impersonating a logged in user may perform an unintended operation with the user's privilege.

## Solution

Update the Software or Update source code
Apply either of the measures listed below according to the information provided by the developer.

  • Update the software to the latest version
  • Update source code by applying the difference file provided by the developer

## Products Affected

  • EC-CUBE 3.0.0
  • EC-CUBE 3.0.1
  • EC-CUBE 3.0.2
  • EC-CUBE 3.0.3
  • EC-CUBE 3.0.4
  • EC-CUBE 3.0.5
  • EC-CUBE 3.0.6
  • EC-CUBE 3.0.7
  • EC-CUBE 3.0.8
  • EC-CUBE 3.0.9
  • EC-CUBE 3.0.10
  • EC-CUBE 3.0.11
  • EC-CUBE 3.0.12
  • EC-CUBE 3.0.12-p1
  • EC-CUBE 3.0.13
  • EC-CUBE 3.0.14
  • EC-CUBE 3.0.15