26 matches found
CVE-2013-5993
EC-CUBE (LOCKON) vulnerable to CSRF in EC-CUBE 2.11.0–2.13.0. The vulnerability allows an attacker to perform unintended actions on behalf of a logged-in user via CSRF vectors. Affected products/versions are EC-CUBE 2.11.x to 2.13.0; root cause is CSRF where a user’s session can be hijacked by vi...
CVE-2014-0808
EC-CUBE 2.11.0–2.12.2 and EC-Orange deployments before 2015-06-29 are affected by an authorization bypass (CWE-639) via a user-controlled key, enabling access to other users’ information through crafted HTTP requests. The issue is well-documented across multiple sources (Red Hat, JVN, GHSA/OSV) w...
CVE-2013-5992
EC-CUBE 2.11.0–2.11.5 is vulnerable to a Cross-Site Scripting (XSS) flaw in the displaySystemError function that mishandles error-message output. The root cause is improper escaping/output handling of error messages in html/handle_error.php, allowing remote attackers to inject arbitrary script/HT...
CVE-2016-1199
CVE-2016-1199 affects LOCKON EC-CUBE, specifically the management login page for versions 3.0.0 to 3.0.9. The description notes(remote) attackers can bypass the intended IP address restrictions via unspecified vectors, indicating an access control bypass in the login/management interface. The acc...
CVE-2013-3654
CVE-2013-3654 is a confirmed vulnerability affecting LOCKON EC-CUBE versions 2.12.0 through 2.12.4. The issue is a directory traversal that allows remote attackers to read arbitrary image files via vectors related to data/class/SC_CheckError.php and data/class/SC_FormParam.php. This is described ...
CVE-2014-0807
CVE-2014-0807 affects LOCKON EC-CUBE, impacting data modification via the vulnerable file LC_Page_Shopping_Deliv.php in EC-CUBE 2.4.4 and earlier, and 2.11.0 through 2.12.2. The root cause is described as an information alteration vulnerability that allows remote attackers to modify data; vectors...
CVE-2013-2313
CVE-2013-2313 refers to a session fixation vulnerability in LOCKON EC-CUBE, affecting EC-CUBE versions 2.11.0 through 2.12.3enP2. The underlying issue allows a remote attacker to hijack a user session, potentially leading to impersonation and unauthorized access or data modification. Public docum...
CVE-2013-2315
EC-CUBE v2.11.0–v2.12.3enP2 suffers an information disclosure vulnerability due to improper input validation in LC_Page_Forgot.php’s password reminder flow. A remote, unauthenticated attacker can craft a request that triggers leakage of sensitive data. The issue is documented across multiple sour...
CVE-2013-3650
CVE-2013-3650 is a directory traversal vulnerability in LOCKON EC-CUBE, affecting versions before 2.12.5. The flaw resides in the lfCheckFileName function used by resize_image.php, allowing remote attackers to read arbitrary image files via the image parameter. This is tied to EC-CUBE’s data/clas...
CVE-2013-3653
CVE-2013-3653: In LOCKON EC-CUBE’s management screen, the RecommendSearch feature has multiple XSS vulnerabilities in versions before 2.12.5, exploitable via the rank parameter. Remote attackers can inject arbitrary script/HTML. Remediation: upgrade to EC-CUBE 2.12.5 or later.
CVE-2013-5996
EC-CUBE vulnerable to cross-site scripting (XSS) in the shopping/payment.tpl components. Affected product/version range: EC-CUBE 2.11.0 through 2.13.0. Root cause described as XSS via crafted values, enabling remote script/HTML execution in the user’s browser. Remediation: apply the update/patch ...
CVE-2016-1200
The CVE-2016-1200 entry affects LOCKON EC-CUBE 3.0.7–3.0.9. The vulnerability is described as a bypass of intended access restrictions on the management screen by remote authenticated users, via unspecified vectors (a distinct issue from CVE-2016-1199). Connected documents confirm the affected pr...
CVE-2011-0451
EC-CUBE (LOCKON) before version 2.4.4 contains XSS flaws in data/Smarty/templates/default/list.tpl and data/Smarty/templates/default/campaign/bloc/cart_tag.tpl. The root cause is cross-site scripting via unspecified vectors, enabling remote script/HTML execution in users’ browsers. Affected versi...
CVE-2013-3651
EC-CUBE vulnerability CVE-2013-3651 affects EC-CUBE versions 2.11.2–2.12.4. A crafted string can trigger remote PHP code execution via in-scope code paths in data/class/SC_CheckError.php and data/class/SC_FormParam.php, allowing arbitrary code execution with the application’s privileges on the se...
CVE-2013-3652
CVE-2013-3652 is a cross-site scripting (XSS) vulnerability affecting LOCKON EC-CUBE versions 2.11.0 through 2.12.4. The flaw resides in the file data/class/pages/products/LC_Page_Products_List.php and can be exploited by manipulating the field classcategory_id2 to inject arbitrary web script or ...
CVE-2013-5991
The CVE-2013-5991 vulnerability affects EC-CUBE: the displaySystemError function in html/handle_error.php on LOCKON EC-CUBE versions 2.11.0–2.11.5 can disclose sensitive information due to incorrect handling of error-log output. Affected product is EC-CUBE (LOCKON), with the issue arising in erro...
CVE-2013-2314
CVE-2013-2314 affects EC-CUBE 2.11.0–2.12.3enP2. The vulnerability is a cross-site scripting (XSS) in the adminAuthorization function within SC_Helper_Session.php, allowing a remote attacker to inject arbitrary script/HTML via a crafted URL used on the management screen. Root cause: improper hand...
CVE-2013-4702
CVE-2013-4702 : In EC-CUBE (LOCKON) Windows deployments, directory traversal via the doApiAction path (SC_Api_Operation.php) allows remote reading of arbitrary files. Affected: EC-CUBE 2.12.0–2.12.5. Root cause: traversal vectors in parameters (Operation, Service, Style, Validate, Version). Impac...
CVE-2013-5994
EC-CUBE information disclosure vulnerability CVE-2013-5994 affects EC-CUBE 2.11.2–2.13.0. The issue allows remote attackers to obtain the server file path via a crafted request, exposing sensitive information in an error message. Affected products are listed in JVN/JVNDB entries (EC-CUBE 2.11.2 t...
CVE-2013-5995
CVE-2013-5995 affects EC-CUBE 2.12.3 through 2.13.0 (LOCKON). The issue lies in data/class/helper/SC_Helper_Address.php within the front-features implementation, allowing remote authenticated users to obtain sensitive information via unspecified vectors related to addresses. Connected documents c...
CVE-2018-0564
EC-CUBE 3.x versions (3.0.0 through 3.0.15) are affected by a session fixation vulnerability. The issue arises from lack of renewal of session cookies, enabling remote attackers to impersonate authenticated users and perform arbitrary operations via unspecified vectors. Public references (JVN/JVN...
CVE-2011-1325
EC-CUBE (vulnerability in EC-CUBE before 2.11.0) is affected by a cross-site request forgery (CSRF) that can hijack a logged-in user’s session via unknown vectors. The root cause is a CSRF flaw in handling authenticated requests. Impact is unauthorized actions in authenticated sessions. Remediati...
CVE-2016-1201
Vulnerability summary: CVE-2016-1201 is a cross-site request forgery (CSRF) bug in EC-CUBE.6,7 The connected sources confirm affected product EC-CUBE (LOCKON) versions 3.0.0 through 3.0.9, where an attacker can cause an administrator’s session to perform unintended actions when visiting a malicio...
CVE-2011-3988
EC-CUBE v2.11.0–2.11.2 is affected by a SQL injection vulnerability in data/class/SC_Query.php, allowing remote attackers to execute arbitrary SQL commands via unspecified vectors. The vulnerability enables viewing/modifying data and affects systems that process the vulnerable code path. Public s...
CVE-2015-5665
LOCKON EC-CUBE is affected by a CSRF vulnerability (CWE-352) affecting versions 2.11.0 through 2.13.3 (some sources list up to 2.13.4). The flaw enables an attacker to hijack the authentication of arbitrary users by inducing requests that write to PHP scripts, tied to the doValidToken function. I...
CVE-2013-2312
The CVE affects EC-CUBE (LOCKON) shopping-cart: XSS via crafted URL in EC-CUBE 2.11.0–2.12.3enP2 caused by improper handling/output of parameters. Impact is arbitrary script execution in the user’s browser when a cart item is present. Remediation: apply the vendor patch/update (per JVN entries li...