638 matches found
CVE-2024-41141
CVE-2024-41141 is a stored cross-site scripting vulnerability in the EC-CUBE Web API Plugin (OAuth Management). When multiple users use OAuth Management and one user inputs a crafted value, an arbitrary script may run in the browser of other users who accessed the management page. Documents consi...
EC-CUBE 4 Series improper input validation when installing plugins
Overview EC-CUBE 4 series provided by EC-CUBE CO.,LTD improperly validates inputs when installing plugins CWE-349. EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early...
JVN#26225832: EC-CUBE plugin (for EC-CUBE 4 series) "EC-CUBE Web API Plugin" vulnerable to stored cross-site scripting
EC-CUBE plugin for EC-CUBE 4 series "EC-CUBE Web API Plugin" provided by EC-CUBE CO.,LTD. contains a stored cross-site scripting vulnerability CWE-79 in OAuth Management feature. Impact When there are multiple users using OAuth Management feature and one of them inputs some crafted value on the...
EC-CUBE 安全漏洞
EC-CUBE is an open source e-commerce system from the Japanese company EC-CUBE. A security vulnerability exists in EC-CUBE that stems from the presence of an Accept External Untrusted Data and Trusted Data vulnerability, where an attacker who gains administrative privileges may be able to install...
JVN#48324254: EC-CUBE 4 Series improper input validation when installing plugins
EC-CUBE 4 series provided by EC-CUBE CO.,LTD improperly validates inputs when installing plugins CWE-349. Impact An attacker who obtained the administrative privilege may install an arbitrary PHP package. If the obsolete versions of PHP packages are installed, the product may be affected by some...
JVN#15637138: EC-Orange vulnerable to authorization bypass
EC-Orange provided by S-cubism Inc. is an e-commerce website building system package based on an open source software EC-CUBE. EC-Orange contains an authorization bypass vulnerability CWE-639. This is the same issue as JVN51770585 EC-CUBE vulnerable to authorization bypass. Impact A user of the...
CVE-2023-46845
EC-CUBE 3 series 3.0.0 to 3.0.18-p6 and 4 series 4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2 contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where...
Remote code execution
EC-CUBE 3 series 3.0.0 to 3.0.18-p6 and 4 series 4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2 contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where...
CVE-2023-46845
EC-CUBE 3 series 3.0.0 to 3.0.18-p6 and 4 series 4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2 contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where...
CVE-2023-46845
EC-CUBE 3 series 3.0.0 to 3.0.18-p6 and 4 series 4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2 contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where...
CVE-2023-46845
EC-CUBE 3.x (3.0.0–3.0.18-p6) and 4.x (4.0.0–4.0.6-p3, 4.1.0–4.1.2-p2, 4.2.0–4.2.2) are affected by an arbitrary code execution flaw caused by improper settings of the Twig template engine. An administrative user can trigger code execution on the server hosting EC-CUBE. The root cause is misconfi...
CVE-2023-46845
EC-CUBE 3 series 3.0.0 to 3.0.18-p6 and 4 series 4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2 contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where...
EC-CUBE Security Vulnerability
EC-CUBE is an open source e-commerce system from EC-CUBE Japan. A security vulnerability exists in EC-CUBE 3 series 3.0.0 to 3.0.18-p6 and 4 series 4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2 releases, which is caused by an arbitrary code execution vulnerability due to improper...
JVN#29195731: EC-CUBE 3 series and 4 series vulnerable to arbitrary code execution
EC-CUBE 3 series and 4 series provided by EC-CUBE CO.,LTD. contain an arbitrary code execution vulnerability CWE-94 due to improper settings of the product's template engine "Twig". Impact Arbitrary code may be executed on the server where the product is running by a user with an administrative...
CVE-2023-40281
EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using t...
Cross site scripting
EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using t...
CVE-2023-40281
EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using t...
CVE-2023-40281
EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using t...
CVE-2023-40281
EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using t...
CVE-2023-40281
EC-CUBE 2 series (versions 2.11.0–2.17.2-p1) contains a cross-site scripting (CWE-79) vulnerability in the Management page’s mail/template and products/product components. The issue can allow arbitrary script execution in the web browser of other administrators or users accessing the site. Affect...