All the vulnerabilites related to EC-CUBE CO.,LTD. - EC-CUBE 4 series
cve-2023-22838
Vulnerability from cvelistv5
Published
2023-03-05 00:00
Modified
2024-08-02 10:20
Severity ?
Summary
Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T10:20:31.054Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.ec-cube.net/info/weakness/20230214/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN04785663/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "EC-CUBE 4 series",
          "vendor": "EC-CUBE CO.,LTD.",
          "versions": [
            {
              "status": "affected",
              "version": "EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross-site scripting",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-03-05T00:00:00",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://www.ec-cube.net/info/weakness/20230214/"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN04785663/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2023-22838",
    "datePublished": "2023-03-05T00:00:00",
    "dateReserved": "2023-02-17T00:00:00",
    "dateUpdated": "2024-08-02T10:20:31.054Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-38975
Vulnerability from cvelistv5
Published
2022-09-27 01:55
Modified
2024-08-03 11:10
Severity ?
Summary
DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T11:10:32.098Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.ec-cube.net/info/weakness/20220909/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN21213852/index.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "EC-CUBE 4 series",
          "vendor": "EC-CUBE CO.,LTD.",
          "versions": [
            {
              "status": "affected",
              "version": "EC-CUBE 4.0.0 to 4.1.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross-site scripting",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-27T01:55:16",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.ec-cube.net/info/weakness/20220909/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jvn.jp/en/jp/JVN21213852/index.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2022-38975",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "EC-CUBE 4 series",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "EC-CUBE 4.0.0 to 4.1.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "EC-CUBE CO.,LTD."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.ec-cube.net/info/weakness/20220909/",
              "refsource": "MISC",
              "url": "https://www.ec-cube.net/info/weakness/20220909/"
            },
            {
              "name": "https://jvn.jp/en/jp/JVN21213852/index.html",
              "refsource": "MISC",
              "url": "https://jvn.jp/en/jp/JVN21213852/index.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2022-38975",
    "datePublished": "2022-09-27T01:55:16",
    "dateReserved": "2022-09-09T00:00:00",
    "dateUpdated": "2024-08-03T11:10:32.098Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-25077
Vulnerability from cvelistv5
Published
2023-03-05 00:00
Modified
2024-08-02 11:11
Severity ?
Summary
Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:11:43.452Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.ec-cube.net/info/weakness/20230214/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN04785663/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "EC-CUBE 4 series",
          "vendor": "EC-CUBE CO.,LTD.",
          "versions": [
            {
              "status": "affected",
              "version": "EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross-site scripting",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-03-05T00:00:00",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://www.ec-cube.net/info/weakness/20230214/"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN04785663/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2023-25077",
    "datePublished": "2023-03-05T00:00:00",
    "dateReserved": "2023-02-17T00:00:00",
    "dateUpdated": "2024-08-02T11:11:43.452Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-46845
Vulnerability from cvelistv5
Published
2023-11-07 07:39
Modified
2024-09-04 20:28
Severity ?
Summary
EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.
Impacted products
Vendor Product Version
EC-CUBE CO.,LTD. EC-CUBE 3 series Version: 3.0.0 to 3.0.18-p6
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T20:53:21.888Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.ec-cube.net/info/weakness/20231026/index_40.php"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.ec-cube.net/info/weakness/20231026/index.php"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.ec-cube.net/info/weakness/20231026/index_3.php"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN29195731/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-46845",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-04T20:27:53.327326Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-04T20:28:15.713Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "EC-CUBE 4 series",
          "vendor": "EC-CUBE CO.,LTD.",
          "versions": [
            {
              "status": "affected",
              "version": "4.0.0 to 4.0.6-p3"
            },
            {
              "status": "affected",
              "version": " 4.1.0 to 4.1.2-p2"
            },
            {
              "status": "affected",
              "version": " and 4.2.0 to 4.2.2"
            }
          ]
        },
        {
          "product": "EC-CUBE 3 series",
          "vendor": "EC-CUBE CO.,LTD.",
          "versions": [
            {
              "status": "affected",
              "version": "3.0.0 to 3.0.18-p6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Code injection",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-07T07:39:57.896Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://www.ec-cube.net/info/weakness/20231026/index_40.php"
        },
        {
          "url": "https://www.ec-cube.net/info/weakness/20231026/index.php"
        },
        {
          "url": "https://www.ec-cube.net/info/weakness/20231026/index_3.php"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN29195731/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2023-46845",
    "datePublished": "2023-11-07T07:39:57.896Z",
    "dateReserved": "2023-10-27T08:05:25.926Z",
    "dateUpdated": "2024-09-04T20:28:15.713Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-41924
Vulnerability from cvelistv5
Published
2024-07-30 08:45
Modified
2024-08-02 04:54
Summary
Acceptance of extraneous untrusted data with trusted data vulnerability exists in EC-CUBE 4 series. If this vulnerability is exploited, an attacker who obtained the administrative privilege may install an arbitrary PHP package. If the obsolete versions of PHP packages are installed, the product may be affected by some known vulnerabilities.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:ec-cube:ec-cube:4.0.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ec-cube",
            "vendor": "ec-cube",
            "versions": [
              {
                "lessThanOrEqual": "4.0.6-p4",
                "status": "affected",
                "version": "4.0.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:ec-cube:ec-cube:4.1.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ec-cube",
            "vendor": "ec-cube",
            "versions": [
              {
                "lessThanOrEqual": "4.1.2-p3",
                "status": "affected",
                "version": "4.1.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:ec-cube:ec-cube:4.2.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ec-cube",
            "vendor": "ec-cube",
            "versions": [
              {
                "lessThanOrEqual": "4.2.3",
                "status": "affected",
                "version": "4.2.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.2,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-41924",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-30T15:09:19.816048Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-30T15:13:11.505Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:54:31.275Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.ec-cube.net/info/weakness/20240701/index.php"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN48324254/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "EC-CUBE 4 series",
          "vendor": "EC-CUBE CO.,LTD.",
          "versions": [
            {
              "status": "affected",
              "version": "4.0.0 to 4.0.6-p4"
            },
            {
              "status": "affected",
              "version": "4.1.0 to 4.1.2-p3"
            },
            {
              "status": "affected",
              "version": "and 4.2.0 to 4.2.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Acceptance of extraneous untrusted data with trusted data vulnerability exists in EC-CUBE 4 series. If this vulnerability is exploited, an attacker who obtained the administrative privilege may install an arbitrary PHP package. If the obsolete versions of PHP packages are installed, the product may be affected by some known vulnerabilities."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Acceptance of extraneous untrusted data with trusted data",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-30T08:45:48.496Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://www.ec-cube.net/info/weakness/20240701/index.php"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN48324254/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2024-41924",
    "datePublished": "2024-07-30T08:45:48.496Z",
    "dateReserved": "2024-07-24T06:07:32.248Z",
    "dateUpdated": "2024-08-02T04:54:31.275Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}