Japan Vulnerability NotesJVN:97554111JVN#97554111: EC-CUBE vulnerable to cross-site scripting
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.005 Low
EPSS
Percentile
75.7%
EC-CUBE provided by EC-CUBE CO.,LTD. contains a cross-site scripting vulnerability (CWE-79).
An arbitrary script may be executed by executing a specific operation on the management page of EC-CUBE.
As of 2021 May 10, an attack exploting this vulnerability has been observed in the wild.
Impact
If a remote attacker injects a specially crafted script in the specific input field of the EC web site which is created using EC-CUBE, an arbitrary script may be executed on the administrator’s web browser.
Solution
Update the Softwere
Update the software according to the information provided by the developer. The developer has released the following version that addresses the vulnerability.
- 4.0.5-p1
Apply the Patch
Apply the hotfix patch according to the information provided by the developer.
Products Affected
EC-CUBE 4.0.0 to 4.0.5
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.005 Low
EPSS
Percentile
75.7%