Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
jvnJapan Vulnerability NotesJVN:75444925
HistoryNov 11, 2021 - 12:00 a.m.

JVN#75444925: Multiple vulnerabilities in EC-CUBE 2 series

2021-11-1100:00:00
Japan Vulnerability Notes
jvn.jp
21
ec-cube 2 series
vulnerabilities
access control
cross-site request forgery
cve-2021-20841
cve-2021-20842
software update
patch
workaround
affected products

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

48.3%

JSON

EC-CUBE 2 series provided by EC-CUBE CO.,LTD. contains multiple vulnerabilities listed below.

Improper access control in Management screen (CWE-284) - CVE-2021-20841

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score: 4.3
CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0

Cross-site request forgery vulnerability in Management screen (CWE-352) - CVE-2021-20842

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Base Score: 6.5
CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6

Impact

  • A user who can log in to the product may alter System settings without the appropriate privilege - CVE-2021-20841
  • If a user with an administrative privilege views a malicious page while logged in, Administrator may be deleted - CVE-2021-20842

Solution

Update the Softwere
Update the software according to the information provided by the developer.
The developer has released EC-CUBE 2.17.2 that addresses these vulnerabilities.

Apply the Patch
Apply the hotfix patch according to the information provided by the developer.

Apply the Workaround CVE-2021-20841
Applying the following workaround may mitigate the impact of this vulnerability.

  • Change the value of mtb_permission to the directory name of Management screen URL
    For more information, refer to the information provided by the developer.

Products Affected

CVE-2021-20841

  • EC-CUBE 2.11.2 to 2.17.1 (EC-CUBE 2 series)
    CVE-2021-20842

  • EC-CUBE 2.11.0 to 2.17.1 (EC-CUBE 2 series)

Related

osv 4
prion 2
nvd 2
cve 2
cvelist 2
github 2
cnvd 2
osv
osv
EC-CUBE Cross-site request forgery (CSRF) vulnerability
2022-05-24 19:21:18
CVE-2021-20842
2021-11-24 16:15:13
EC-CUBE Improper access control in Management screen
2021-11-25 00:00:38
prion
prion
Cross site request forgery (csrf)
2021-11-24 16:15:00
Improper access control
2021-11-24 16:15:00
nvd
nvd
CVE-2021-20842
2021-11-24 16:15:13
CVE-2021-20841
2021-11-24 16:15:13
cve
cve
CVE-2021-20841
2021-11-24 16:15:13
CVE-2021-20842
2021-11-24 16:15:13
cvelist
cvelist
CVE-2021-20842
2021-11-24 08:25:42
CVE-2021-20841
2021-11-24 08:25:41
github
github
EC-CUBE Improper access control in Management screen
2021-11-25 00:00:38
EC-CUBE Cross-site request forgery (CSRF) vulnerability
2022-05-24 19:21:18
cnvd
cnvd
EC-CUBE Cross-site Request Forgery Vulnerability (CNVD-2022-03132)
2021-11-12 00:00:00
EC-CUBE improper access control vulnerability
2021-11-12 00:00:00

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

48.3%

JSON
Related for JVN:75444925
osv4prion2nvd2cve2cvelist2github2cnvd2