Lucene search

[email protected]NVD:CVE-2023-46845

HistoryNov 07, 2023 - 8:15 a.m.

CVE-2023-46845

2023-11-0708:15:24

CWE-94

[email protected]

web.nvd.nist.gov

cve-2023-46845

ec-cube

arbitrary code execution

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

44.8%

JSON

EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.

Affected configurations

NVD

Node

ec-cubeec-cubeRange3.0.0–3.0.18

ec-cubeec-cubeRange4.0.0–4.0.6

ec-cubeec-cubeRange4.1.0–4.1.2

ec-cubeec-cubeRange4.2.0–4.2.3

ec-cubeec-cubeMatch3.0.18p1

ec-cubeec-cubeMatch3.0.18p2

ec-cubeec-cubeMatch3.0.18p3

ec-cubeec-cubeMatch3.0.18p4

ec-cubeec-cubeMatch3.0.18p5

ec-cubeec-cubeMatch3.0.18p6

ec-cubeec-cubeMatch4.0.6p1

ec-cubeec-cubeMatch4.0.6p2

ec-cubeec-cubeMatch4.0.6p3

ec-cubeec-cubeMatch4.1.2p1

ec-cubeec-cubeMatch4.1.2p2

References

jvn.jp/en/jp/JVN29195731/

www.ec-cube.net/info/weakness/20231026/index.php

www.ec-cube.net/info/weakness/20231026/index_3.php

www.ec-cube.net/info/weakness/20231026/index_40.php

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

44.8%

JSON

Related for NVD:CVE-2023-46845

prion1 cvelist1 osv1 jvn1 cve1