Lucene search
K
LockonEc-cube

26 matches found

CVE
CVE
added 2013/11/21 2:0 a.m.97 views

CVE-2013-5993

EC-CUBE (LOCKON) vulnerable to CSRF in EC-CUBE 2.11.0–2.13.0. The vulnerability allows an attacker to perform unintended actions on behalf of a logged-in user via CSRF vectors. Affected products/versions are EC-CUBE 2.11.x to 2.13.0; root cause is CSRF where a user’s session can be hijacked by vi...

6.8CVSS7.3AI score0.01079EPSS
CVE
CVE
added 2014/01/22 9:0 p.m.58 views

CVE-2014-0808

EC-CUBE 2.11.0–2.12.2 and EC-Orange deployments before 2015-06-29 are affected by an authorization bypass (CWE-639) via a user-controlled key, enabling access to other users’ information through crafted HTTP requests. The issue is well-documented across multiple sources (Red Hat, JVN, GHSA/OSV) w...

9.1CVSS6.2AI score0.02245EPSS
CVE
CVE
added 2013/11/21 2:0 a.m.52 views

CVE-2013-5992

EC-CUBE 2.11.0–2.11.5 is vulnerable to a Cross-Site Scripting (XSS) flaw in the displaySystemError function that mishandles error-message output. The root cause is improper escaping/output handling of error messages in html/handle_error.php, allowing remote attackers to inject arbitrary script/HT...

4.3CVSS5.9AI score0.01207EPSS
CVE
CVE
added 2016/04/30 10:0 a.m.51 views

CVE-2016-1199

CVE-2016-1199 affects LOCKON EC-CUBE, specifically the management login page for versions 3.0.0 to 3.0.9. The description notes(remote) attackers can bypass the intended IP address restrictions via unspecified vectors, indicating an access control bypass in the login/management interface. The acc...

5.3CVSS5.5AI score0.01301EPSS
CVE
CVE
added 2013/06/29 7:0 p.m.49 views

CVE-2013-3654

CVE-2013-3654 is a confirmed vulnerability affecting LOCKON EC-CUBE versions 2.12.0 through 2.12.4. The issue is a directory traversal that allows remote attackers to read arbitrary image files via vectors related to data/class/SC_CheckError.php and data/class/SC_FormParam.php. This is described ...

5CVSS6.7AI score0.01862EPSS
Web
CVE
CVE
added 2014/01/22 9:0 p.m.49 views

CVE-2014-0807

CVE-2014-0807 affects LOCKON EC-CUBE, impacting data modification via the vulnerable file LC_Page_Shopping_Deliv.php in EC-CUBE 2.4.4 and earlier, and 2.11.0 through 2.12.2. The root cause is described as an information alteration vulnerability that allows remote attackers to modify data; vectors...

6.4CVSS6.8AI score0.01569EPSS
CVE
CVE
added 2013/05/29 7:0 p.m.48 views

CVE-2013-2313

CVE-2013-2313 refers to a session fixation vulnerability in LOCKON EC-CUBE, affecting EC-CUBE versions 2.11.0 through 2.12.3enP2. The underlying issue allows a remote attacker to hijack a user session, potentially leading to impersonation and unauthorized access or data modification. Public docum...

4CVSS6.8AI score0.01869EPSS
CVE
CVE
added 2013/05/29 7:0 p.m.48 views

CVE-2013-2315

EC-CUBE v2.11.0–v2.12.3enP2 suffers an information disclosure vulnerability due to improper input validation in LC_Page_Forgot.php’s password reminder flow. A remote, unauthenticated attacker can craft a request that triggers leakage of sensitive data. The issue is documented across multiple sour...

5CVSS6.4AI score0.01369EPSS
Web
CVE
CVE
added 2013/06/29 7:0 p.m.48 views

CVE-2013-3650

CVE-2013-3650 is a directory traversal vulnerability in LOCKON EC-CUBE, affecting versions before 2.12.5. The flaw resides in the lfCheckFileName function used by resize_image.php, allowing remote attackers to read arbitrary image files via the image parameter. This is tied to EC-CUBE’s data/clas...

5CVSS6.7AI score0.01862EPSS
Web
CVE
CVE
added 2013/06/29 4:0 p.m.48 views

CVE-2013-3653

CVE-2013-3653: In LOCKON EC-CUBE’s management screen, the RecommendSearch feature has multiple XSS vulnerabilities in versions before 2.12.5, exploitable via the rank parameter. Remote attackers can inject arbitrary script/HTML. Remediation: upgrade to EC-CUBE 2.12.5 or later.

4.3CVSS5.7AI score0.01792EPSS
CVE
CVE
added 2013/11/21 2:0 a.m.48 views

CVE-2013-5996

EC-CUBE vulnerable to cross-site scripting (XSS) in the shopping/payment.tpl components. Affected product/version range: EC-CUBE 2.11.0 through 2.13.0. Root cause described as XSS via crafted values, enabling remote script/HTML execution in the user’s browser. Remediation: apply the update/patch ...

4.3CVSS5.9AI score0.01883EPSS
CVE
CVE
added 2016/04/30 10:0 a.m.46 views

CVE-2016-1200

The CVE-2016-1200 entry affects LOCKON EC-CUBE 3.0.7–3.0.9. The vulnerability is described as a bypass of intended access restrictions on the management screen by remote authenticated users, via unspecified vectors (a distinct issue from CVE-2016-1199). Connected documents confirm the affected pr...

6.5CVSS5.2AI score0.009EPSS
CVE
CVE
added 2011/02/03 3:0 p.m.45 views

CVE-2011-0451

EC-CUBE (LOCKON) before version 2.4.4 contains XSS flaws in data/Smarty/templates/default/list.tpl and data/Smarty/templates/default/campaign/bloc/cart_tag.tpl. The root cause is cross-site scripting via unspecified vectors, enabling remote script/HTML execution in users’ browsers. Affected versi...

4.3CVSS5.8AI score0.01937EPSS
CVE
CVE
added 2013/06/29 7:0 p.m.45 views

CVE-2013-3651

EC-CUBE vulnerability CVE-2013-3651 affects EC-CUBE versions 2.11.2–2.12.4. A crafted string can trigger remote PHP code execution via in-scope code paths in data/class/SC_CheckError.php and data/class/SC_FormParam.php, allowing arbitrary code execution with the application’s privileges on the se...

7.5CVSS6.9AI score0.04285EPSS
CVE
CVE
added 2013/06/29 4:0 p.m.45 views

CVE-2013-3652

CVE-2013-3652 is a cross-site scripting (XSS) vulnerability affecting LOCKON EC-CUBE versions 2.11.0 through 2.12.4. The flaw resides in the file data/class/pages/products/LC_Page_Products_List.php and can be exploited by manipulating the field classcategory_id2 to inject arbitrary web script or ...

4.3CVSS5.7AI score0.05932EPSS
Web
CVE
CVE
added 2013/11/21 2:0 a.m.45 views

CVE-2013-5991

The CVE-2013-5991 vulnerability affects EC-CUBE: the displaySystemError function in html/handle_error.php on LOCKON EC-CUBE versions 2.11.0–2.11.5 can disclose sensitive information due to incorrect handling of error-log output. Affected product is EC-CUBE (LOCKON), with the issue arising in erro...

4.3CVSS6.4AI score0.01309EPSS
CVE
CVE
added 2013/05/29 7:0 p.m.44 views

CVE-2013-2314

CVE-2013-2314 affects EC-CUBE 2.11.0–2.12.3enP2. The vulnerability is a cross-site scripting (XSS) in the adminAuthorization function within SC_Helper_Session.php, allowing a remote attacker to inject arbitrary script/HTML via a crafted URL used on the management screen. Root cause: improper hand...

4.3CVSS5.8AI score0.01792EPSS
CVE
CVE
added 2013/08/30 9:0 p.m.44 views

CVE-2013-4702

CVE-2013-4702 : In EC-CUBE (LOCKON) Windows deployments, directory traversal via the doApiAction path (SC_Api_Operation.php) allows remote reading of arbitrary files. Affected: EC-CUBE 2.12.0–2.12.5. Root cause: traversal vectors in parameters (Operation, Service, Style, Validate, Version). Impac...

5CVSS7AI score0.02098EPSS
CVE
CVE
added 2013/11/21 2:0 a.m.43 views

CVE-2013-5994

EC-CUBE information disclosure vulnerability CVE-2013-5994 affects EC-CUBE 2.11.2–2.13.0. The issue allows remote attackers to obtain the server file path via a crafted request, exposing sensitive information in an error message. Affected products are listed in JVN/JVNDB entries (EC-CUBE 2.11.2 t...

5CVSS6.3AI score0.01504EPSS
CVE
CVE
added 2013/11/21 2:0 a.m.43 views

CVE-2013-5995

CVE-2013-5995 affects EC-CUBE 2.12.3 through 2.13.0 (LOCKON). The issue lies in data/class/helper/SC_Helper_Address.php within the front-features implementation, allowing remote authenticated users to obtain sensitive information via unspecified vectors related to addresses. Connected documents c...

5.5CVSS5.8AI score0.01172EPSS
CVE
CVE
added 2018/04/20 1:0 p.m.43 views

CVE-2018-0564

EC-CUBE 3.x versions (3.0.0 through 3.0.15) are affected by a session fixation vulnerability. The issue arises from lack of renewal of session cookies, enabling remote attackers to impersonate authenticated users and perform arbitrary operations via unspecified vectors. Public references (JVN/JVN...

8.1CVSS7.9AI score0.01525EPSS
CVE
CVE
added 2011/05/13 5:0 p.m.42 views

CVE-2011-1325

EC-CUBE (vulnerability in EC-CUBE before 2.11.0) is affected by a cross-site request forgery (CSRF) that can hijack a logged-in user’s session via unknown vectors. The root cause is a CSRF flaw in handling authenticated requests. Impact is unauthorized actions in authenticated sessions. Remediati...

5.8CVSS7.3AI score0.0061EPSS
CVE
CVE
added 2016/04/30 10:0 a.m.42 views

CVE-2016-1201

Vulnerability summary: CVE-2016-1201 is a cross-site request forgery (CSRF) bug in EC-CUBE.6,7 The connected sources confirm affected product EC-CUBE (LOCKON) versions 3.0.0 through 3.0.9, where an attacker can cause an administrator’s session to perform unintended actions when visiting a malicio...

8.8CVSS8.9AI score0.00636EPSS
CVE
CVE
added 2011/10/21 6:0 p.m.40 views

CVE-2011-3988

EC-CUBE v2.11.0–2.11.2 is affected by a SQL injection vulnerability in data/class/SC_Query.php, allowing remote attackers to execute arbitrary SQL commands via unspecified vectors. The vulnerability enables viewing/modifying data and affects systems that process the vulnerable code path. Public s...

7.5CVSS8.6AI score0.02334EPSS
CVE
CVE
added 2015/10/27 1:0 a.m.40 views

CVE-2015-5665

LOCKON EC-CUBE is affected by a CSRF vulnerability (CWE-352) affecting versions 2.11.0 through 2.13.3 (some sources list up to 2.13.4). The flaw enables an attacker to hijack the authentication of arbitrary users by inducing requests that write to PHP scripts, tied to the doValidToken function. I...

5.1CVSS7.6AI score0.00646EPSS
CVE
CVE
added 2013/05/29 7:0 p.m.38 views

CVE-2013-2312

The CVE affects EC-CUBE (LOCKON) shopping-cart: XSS via crafted URL in EC-CUBE 2.11.0–2.12.3enP2 caused by improper handling/output of parameters. Impact is arbitrary script execution in the user’s browser when a cart item is present. Remediation: apply the vendor patch/update (per JVN entries li...

4.3CVSS5.8AI score0.01792EPSS