Lucene search

K

EC-CUBE CO.,LTD. Security Vulnerabilities

osv
osv

CVE-2023-22838

Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary...

5.4CVSS

6.5AI Score

0.001EPSS

2023-03-06 12:15 AM
8
osv
osv

CVE-2022-38975

DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted...

5.4CVSS

6.3AI Score

0.001EPSS

2022-09-27 11:15 PM
8
osv
osv

CVE-2023-46845

EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server...

7.2CVSS

7.6AI Score

0.001EPSS

2023-11-07 08:15 AM
8
osv
osv

CVE-2023-22438

Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to...

5.4CVSS

6.5AI Score

0.001EPSS

2023-03-06 12:15 AM
6
osv
osv

CVE-2023-25077

Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary...

5.4CVSS

6.6AI Score

0.001EPSS

2023-03-06 12:15 AM
8
github
github

EC-CUBE vulnerable to authorization bypass

Authorization bypass through user-controlled key issue exists in EC-CUBE 2.11.0 through 2.12.2 and EC-Orange systems deployed before June 29th, 2015. If this vulnerability is exploited, a user of the affected shopping website may obtain other users' information by sending a crafted HTTP...

6.8AI Score

0.006EPSS

2022-05-17 04:54 AM
osv
osv

CVE-2022-23510

cube-js is a headless business intelligence platform. In version 0.31.23 all authenticated Cube clients could bypass SQL row-level security and run arbitrary SQL via the newly introduced /v1/sql-runner endpoint. This issue has been resolved in version 0.31.24. Users are advised to either upgrade...

9.6CVSS

8.9AI Score

0.001EPSS

2022-12-09 11:15 PM
11
cve
cve

CVE-2014-0808

Authorization bypass through user-controlled key issue exists in EC-CUBE 2.11.0 through 2.12.2 and EC-Orange systems deployed before June 29th, 2015. If this vulnerability is exploited, a user of the affected shopping website may obtain other users' information by sending a crafted HTTP...

6.2AI Score

0.006EPSS

2014-01-22 09:55 PM
19
osv
osv

EC-CUBE Directory traversal vulnerability

Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product's directory structure...

2.7CVSS

3.6AI Score

0.001EPSS

2022-09-28 12:00 AM
4
osv
osv

EC-CUBE improperly handles HTTP Host header values

EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE...

5.3CVSS

7.3AI Score

0.001EPSS

2022-02-25 12:01 AM
1
osv
osv

EC-CUBE Directory traversal vulnerability

Directory traversal vulnerability in EC-CUBE 3.0.0 to 3.0.18 and 4.0.0 to 4.0.3 allows remote authenticated attackers to delete arbitrary files and/or directories on the server via unspecified...

8.1CVSS

6.6AI Score

0.002EPSS

2022-05-24 05:21 PM
4
osv
osv

EC-CUBE DOM-based cross-site scripting vulnerability

DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted...

5.4CVSS

5.3AI Score

0.001EPSS

2022-09-28 12:00 AM
2
osv
osv

CVE-2021-20750

Cross-site scripting vulnerability in EC-CUBE EC-CUBE 3.0.0 to 3.0.18-p2 (EC-CUBE 3 series) and EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific...

6.1CVSS

6.6AI Score

0.002EPSS

2021-06-28 01:15 AM
8
osv
osv

EC-CUBE Cross-site scripting vulnerability

Cross-site scripting vulnerability in EC-CUBE EC-CUBE 3.0.0 to 3.0.18-p2 (EC-CUBE 3 series) and EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific...

6.1CVSS

6.5AI Score

0.002EPSS

2022-05-24 07:06 PM
9
osv
osv

EC-CUBE Improper Restriction of Rendered UI Layers or Frames

Improper restriction of rendered UI layers or frames in EC-CUBE versions from 3.0.0 to 3.0.18 leads to clickjacking attacks. If a user accesses a specially crafted page while logged into the administrative page, unintended operations may be...

6.1CVSS

6.7AI Score

0.001EPSS

2022-05-24 05:35 PM
4
osv
osv

EC-CUBE Cross-site scripting vulnerability

Cross-site scripting vulnerability in EC-CUBE 4.0.0 to 4.0.5 allows a remote attacker to inject a specially crafted script in the specific input field of the EC web site which is created using EC-CUBE. As a result, it may lead to an arbitrary script execution on the administrator's web...

6.1CVSS

6.6AI Score

0.005EPSS

2022-05-24 07:01 PM
2
osv
osv

CVE-2021-20751

Cross-site scripting vulnerability in EC-CUBE EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific...

6.1CVSS

6.6AI Score

0.001EPSS

2021-06-28 01:15 AM
8
osv
osv

CVE-2021-20717

Cross-site scripting vulnerability in EC-CUBE 4.0.0 to 4.0.5 allows a remote attacker to inject a specially crafted script in the specific input field of the EC web site which is created using EC-CUBE. As a result, it may lead to an arbitrary script execution on the administrator's web...

6.1CVSS

6.6AI Score

0.005EPSS

2021-05-10 10:15 AM
9
osv
osv

CVE-2022-25355

EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE...

5.3CVSS

7AI Score

0.001EPSS

2022-02-24 03:15 PM
3
osv
osv

EC-CUBE Open redirect vulnerability

Open redirect vulnerability in EC-CUBE (EC-CUBE 3.0.0, EC-CUBE 3.0.1, EC-CUBE 3.0.2, EC-CUBE 3.0.3, EC-CUBE 3.0.4, EC-CUBE 3.0.5, EC-CUBE 3.0.6, EC-CUBE 3.0.7, EC-CUBE 3.0.8, EC-CUBE 3.0.9, EC-CUBE 3.0.10, EC-CUBE 3.0.11, EC-CUBE 3.0.12, EC-CUBE 3.0.12-p1, EC-CUBE 3.0.13, EC-CUBE 3.0.14, EC-CUBE...

6.1CVSS

7AI Score

0.001EPSS

2022-05-14 01:36 AM
5
osv
osv

EC-CUBE Improper input validation vulnerability

Improper input validation vulnerability in EC-CUBE versions from 3.0.5 to 3.0.18 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified...

7.5CVSS

6.8AI Score

0.002EPSS

2022-05-24 05:35 PM
3
osv
osv

EC-CUBE Cross-site scripting vulnerability

Cross-site scripting vulnerability in EC-CUBE EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific...

6.1CVSS

6.5AI Score

0.001EPSS

2022-05-24 07:06 PM
2
github
github

EC-CUBE Directory traversal vulnerability

Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product's directory structure...

2.7CVSS

6.5AI Score

0.001EPSS

2022-09-28 12:00 AM
4
github
github

EC-CUBE Directory traversal vulnerability

Directory traversal vulnerability in EC-CUBE 3.0.0 to 3.0.18 and 4.0.0 to 4.0.3 allows remote authenticated attackers to delete arbitrary files and/or directories on the server via unspecified...

8.1CVSS

6.7AI Score

0.002EPSS

2022-05-24 05:21 PM
6
osv
osv

Malicious code in co-pilot-auth_web (npm)

-= Per source details. Do not edit below this line.=- Source: ghsa-malware (d490be43502540c62a740310c0ab3d38a35220e7b32f029a0c7e79e191104015) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

7AI Score

2024-06-03 01:52 AM
2
github
github

EC-CUBE improperly handles HTTP Host header values

EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE...

5.3CVSS

7AI Score

0.001EPSS

2022-02-25 12:01 AM
3
github
github

EC-CUBE Cross-site scripting vulnerability

Cross-site scripting vulnerability in EC-CUBE EC-CUBE 3.0.0 to 3.0.18-p2 (EC-CUBE 3 series) and EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific...

6.1CVSS

6.6AI Score

0.002EPSS

2022-05-24 07:06 PM
3
github
github

EC-CUBE Improper input validation vulnerability

Improper input validation vulnerability in EC-CUBE versions from 3.0.5 to 3.0.18 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified...

7.5CVSS

6.9AI Score

0.002EPSS

2022-05-24 05:35 PM
7
github
github

EC-CUBE DOM-based cross-site scripting vulnerability

DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted...

5.4CVSS

6.3AI Score

0.001EPSS

2022-09-28 12:00 AM
2
github
github

EC-CUBE Cross-site request forgery (CSRF) vulnerability

Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web...

6.5CVSS

7.2AI Score

0.001EPSS

2022-05-24 07:21 PM
5
github
github

EC-CUBE Cross-site scripting vulnerability

Cross-site scripting vulnerability in EC-CUBE 4.0.0 to 4.0.5 allows a remote attacker to inject a specially crafted script in the specific input field of the EC web site which is created using EC-CUBE. As a result, it may lead to an arbitrary script execution on the administrator's web...

6.1CVSS

6.6AI Score

0.005EPSS

2022-05-24 07:01 PM
7
github
github

EC-CUBE Improper Restriction of Rendered UI Layers or Frames

Improper restriction of rendered UI layers or frames in EC-CUBE versions from 3.0.0 to 3.0.18 leads to clickjacking attacks. If a user accesses a specially crafted page while logged into the administrative page, unintended operations may be...

6.1CVSS

6.8AI Score

0.001EPSS

2022-05-24 05:35 PM
2
github
github

EC-CUBE Open redirect vulnerability

Open redirect vulnerability in EC-CUBE (EC-CUBE 3.0.0, EC-CUBE 3.0.1, EC-CUBE 3.0.2, EC-CUBE 3.0.3, EC-CUBE 3.0.4, EC-CUBE 3.0.5, EC-CUBE 3.0.6, EC-CUBE 3.0.7, EC-CUBE 3.0.8, EC-CUBE 3.0.9, EC-CUBE 3.0.10, EC-CUBE 3.0.11, EC-CUBE 3.0.12, EC-CUBE 3.0.12-p1, EC-CUBE 3.0.13, EC-CUBE 3.0.14, EC-CUBE...

6.1CVSS

7AI Score

0.001EPSS

2022-05-14 01:36 AM
7
github
github

EC-CUBE Improper access control in Management screen

Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified...

6.5CVSS

6.5AI Score

0.001EPSS

2021-11-25 12:00 AM
5
github
github

EC-CUBE Improper access control vulnerability

Improper access control vulnerability in EC-CUBE 4.0.6 (EC-CUBE 4 series) allows a remote attacker to bypass access restriction and obtain sensitive information via unspecified...

7.5CVSS

6.5AI Score

0.003EPSS

2022-05-24 07:06 PM
5
github
github

EC-CUBE Cross-site scripting vulnerability

Cross-site scripting vulnerability in EC-CUBE EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific...

6.1CVSS

6.6AI Score

0.001EPSS

2022-05-24 07:06 PM
4
githubexploit
githubexploit

Exploit for Improper Validation of Specified Quantity in Input in Linux Linux Kernel

RNDIS-CO Summary The RNDIS USB Gadget may be exploited...

6.9AI Score

2022-02-17 02:02 PM
389
osv
osv

CVE-2022-40199

Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product's directory structure...

2.7CVSS

6.5AI Score

0.001EPSS

2022-09-27 11:15 PM
6
cve
cve

CVE-2021-37378

Cross Site Scripting (XSS) vulnerability in Teradek Cube and Cube Pro firmware version 7.3.x and earlier allows remote attackers to run arbitrary code via the Friendly Name field in System Information Settings. NOTE: Vedor states the product has reached End of Life and will not be receiving any...

5.4CVSS

5.4AI Score

0.001EPSS

2023-02-03 06:15 PM
13
githubexploit
githubexploit

Exploit for CVE-2024-36837

CVE-2024-36837 POC write URL in url.txt and run...

7.8AI Score

EPSS

2024-06-15 04:44 PM
55
cve
cve

CVE-2024-23978

Heap-based buffer overflow vulnerability exists in HOME SPOT CUBE2 V102 and earlier. By processing invalid values, arbitrary code may be executed. Note that the affected products are no longer...

9.8CVSS

9.7AI Score

0.001EPSS

2024-02-02 07:15 AM
14
cve
cve

CVE-2024-21780

Stack-based buffer overflow vulnerability exists in HOME SPOT CUBE2 V102 and earlier. Processing a specially crafted command may result in a denial of service (DoS) condition. Note that the affected products are no longer...

7.5CVSS

7.7AI Score

0.0005EPSS

2024-02-02 07:15 AM
13
githubexploit
githubexploit

Exploit for Use After Free in Arm Bifrost Gpu Kernel Driver

Exploit for CVE-2022-38181 for FireTV 2nd gen Cube This is...

9.2AI Score

2023-04-13 01:19 PM
183
osv
osv

EC-CUBE Cross-site request forgery (CSRF) vulnerability

Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web...

6.5CVSS

7.2AI Score

0.001EPSS

2022-05-24 07:21 PM
6
osv
osv

EC-CUBE Improper access control in Management screen

Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified...

6.5CVSS

6.2AI Score

0.001EPSS

2021-11-25 12:00 AM
5
osv
osv

CVE-2023-40281

EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using...

4.8CVSS

6.5AI Score

0.0004EPSS

2023-08-17 07:15 AM
6
osv
osv

CVE-2022-24697

Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system command into the...

9.8CVSS

7.1AI Score

0.041EPSS

2022-10-13 01:15 PM
2
osv
osv

CVE-2019-25086

A vulnerability was found in IET-OU Open Media Player up to 1.5.0. It has been declared as problematic. This vulnerability affects the function webvtt of the file application/controllers/timedtext.php. The manipulation of the argument ttml_url leads to cross site scripting. The attack can be...

5.4CVSS

6.2AI Score

0.001EPSS

2022-12-27 09:15 AM
2
openbugbounty
openbugbounty

co-iki.org Cross Site Scripting vulnerability OBB-3898416

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

6.2AI Score

2024-04-03 12:40 PM
7
openbugbounty
openbugbounty

turn8.co Cross Site Scripting vulnerability OBB-3899708

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

6.2AI Score

2024-04-04 05:15 AM
5
Total number of security vulnerabilities15963