GHSA-7RHV-H82H-VPJH

Vulnerability from github – Published: 2026-03-05 21:14 – Updated: 2026-03-05 21:14
VLAI
Summary
EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface
Details

Vulnerability Allowing MFA Bypass

Affected EC-CUBE Versions

Versions: 4.1.0 – 4.3.1

Vulnerability Overview

If an administrator’s ID and password are compromised, an issue exists that allows an attacker to bypass the normally required two-factor authentication (2FA) and log in to the administrative interface.

Severity and Impact

CVSS v3.1 score
Base score: 6.2 / Temporal score: 5.7 / Environmental score (after mitigation and countermeasures): 0.0

An attacker can forcibly overwrite the 2FA configuration of an account with administrative privileges. As a result, the legitimate administrator can be locked out, while the attacker can log in to the administrative interface and perform unauthorized actions such as viewing sensitive information or tampering with the website.

Root Cause Details

There are flaws in the access control implementation for the 2FA settings page (/admin/two_factor_auth/set).

  1. TwoFactorAuthListener.php
    The route for the 2FA settings page (admin_two_factor_auth_set) is included in the list of routes excluded from the 2FA authentication check.

  2. TwoFactorAuthController.php
    Even for users who already have 2FA configured, the implementation allows reconfiguration (overwriting) of the 2FA secret key without passing 2FA authentication.

Attack Preconditions and Steps

Preconditions: - The attacker knows the administrative user’s ID and password. - 2FA is enabled for that user.

Attack Steps: 1. Attempt to log in using the ID and password. 2. When the 2FA code entry screen is displayed, do not enter a code; instead, directly modify the URL to access /admin/two_factor_auth/set. 3. Because access is not denied, the attacker can generate and save (overwrite) a new 2FA secret key.

MFAバイパスが可能な脆弱性

EC-CUBEバージョン

バージョン: 4.1.0 ~ 4.3.1

脆弱性の概要

管理者のIDとパスワードが漏洩している場合、本来必要な2段階認証を回避して管理画面にログインできてしまう問題です。

深刻度と影響

CVSS3.1スコア:基本評価:6.2 / 現状評価:5.7 / 環境評価(緩和・対策後):0.0

攻撃者は管理者権限を持つアカウントの2FA設定を強制的に上書きできます。これにより、正規の管理者を締め出しつつ、攻撃者自身が管理画面へログインし、機密情報の閲覧やWebサイトの改ざんなどの不正操作を行うことが可能になります。

脆弱性の詳細な原因

システムの実装において、2FA設定画面(/admin/two_factor_auth/set)へのアクセス制御に不備があり。

  1. TwoFactorAuthListener.php 2FA認証チェックを除外するルート設定に、設定画面(admin_two_factor_auth_set)が含まれている。
  2. TwoFactorAuthController.php 既に2FA設定済みのユーザーであっても、2FA認証を通過せずに新しい鍵の再設定(上書き)を受け入れてしまう仕様になっている。

攻撃の成立条件と手順

前提条件: 管理ユーザーのIDとパスワードを知っていること。 そのユーザーで2FAが有効化されていること。

攻撃手順:

  1. IDとパスワードでログインを試行する。
  2. 2FAコード入力画面が表示されるが、入力を行わずに直接URLを書き換えて /admin/two_factor_auth/set へアクセスする。
  3. アクセスが拒否されないため、攻撃者は新しい2FA秘密鍵を発行し、保存(上書き)する。
  4. 以降、攻撃者が作成した新しい2FAコードを使ってログインが可能になる。
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "ec-cube/ec-cube"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "last_affected": "4.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T21:14:57Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "# Vulnerability Allowing MFA Bypass\n\n## Affected EC-CUBE Versions\nVersions: 4.1.0 \u2013 4.3.1\n\n## Vulnerability Overview\nIf an administrator\u2019s ID and password are compromised, an issue exists that allows an attacker to bypass the normally required two-factor authentication (2FA) and log in to the administrative interface.\n\n## Severity and Impact\n\n**CVSS v3.1 score**  \nBase score: 6.2 / Temporal score: 5.7 / Environmental score (after mitigation and countermeasures): 0.0\n\nAn attacker can forcibly overwrite the 2FA configuration of an account with administrative privileges. As a result, the legitimate administrator can be locked out, while the attacker can log in to the administrative interface and perform unauthorized actions such as viewing sensitive information or tampering with the website.\n\n## Root Cause Details\n\nThere are flaws in the access control implementation for the 2FA settings page (`/admin/two_factor_auth/set`).\n\n1. **TwoFactorAuthListener.php**  \n   The route for the 2FA settings page (`admin_two_factor_auth_set`) is included in the list of routes excluded from the 2FA authentication check.\n\n2. **TwoFactorAuthController.php**  \n   Even for users who already have 2FA configured, the implementation allows reconfiguration (overwriting) of the 2FA secret key without passing 2FA authentication.\n\n## Attack Preconditions and Steps\n\n**Preconditions:**\n- The attacker knows the administrative user\u2019s ID and password.\n- 2FA is enabled for that user.\n\n**Attack Steps:**\n1. Attempt to log in using the ID and password.\n2. When the 2FA code entry screen is displayed, do not enter a code; instead, directly modify the URL to access `/admin/two_factor_auth/set`.\n3. Because access is not denied, the attacker can generate and save (overwrite) a new 2FA secret key.\n\n\n# MFA\u30d0\u30a4\u30d1\u30b9\u304c\u53ef\u80fd\u306a\u8106\u5f31\u6027\n\n## EC-CUBE\u30d0\u30fc\u30b8\u30e7\u30f3\n\u30d0\u30fc\u30b8\u30e7\u30f3:  4.1.0 ~ 4.3.1\n\n## \u8106\u5f31\u6027\u306e\u6982\u8981\n\u7ba1\u7406\u8005\u306eID\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u304c\u6f0f\u6d29\u3057\u3066\u3044\u308b\u5834\u5408\u3001\u672c\u6765\u5fc5\u8981\u306a2\u6bb5\u968e\u8a8d\u8a3c\u3092\u56de\u907f\u3057\u3066\u7ba1\u7406\u753b\u9762\u306b\u30ed\u30b0\u30a4\u30f3\u3067\u304d\u3066\u3057\u307e\u3046\u554f\u984c\u3067\u3059\u3002\n\n## \u6df1\u523b\u5ea6\u3068\u5f71\u97ff\n\nCVSS3.1\u30b9\u30b3\u30a2\uff1a\u57fa\u672c\u8a55\u4fa1:6.2  / \u73fe\u72b6\u8a55\u4fa1:5.7  / \u74b0\u5883\u8a55\u4fa1(\u7de9\u548c\u30fb\u5bfe\u7b56\u5f8c):0.0 \n\n\u653b\u6483\u8005\u306f\u7ba1\u7406\u8005\u6a29\u9650\u3092\u6301\u3064\u30a2\u30ab\u30a6\u30f3\u30c8\u306e2FA\u8a2d\u5b9a\u3092\u5f37\u5236\u7684\u306b\u4e0a\u66f8\u304d\u3067\u304d\u307e\u3059\u3002\u3053\u308c\u306b\u3088\u308a\u3001\u6b63\u898f\u306e\u7ba1\u7406\u8005\u3092\u7de0\u3081\u51fa\u3057\u3064\u3064\u3001\u653b\u6483\u8005\u81ea\u8eab\u304c\u7ba1\u7406\u753b\u9762\u3078\u30ed\u30b0\u30a4\u30f3\u3057\u3001\u6a5f\u5bc6\u60c5\u5831\u306e\u95b2\u89a7\u3084Web\u30b5\u30a4\u30c8\u306e\u6539\u3056\u3093\u306a\u3069\u306e\u4e0d\u6b63\u64cd\u4f5c\u3092\u884c\u3046\u3053\u3068\u304c\u53ef\u80fd\u306b\u306a\u308a\u307e\u3059\u3002\n\n## \u8106\u5f31\u6027\u306e\u8a73\u7d30\u306a\u539f\u56e0\n\n\u30b7\u30b9\u30c6\u30e0\u306e\u5b9f\u88c5\u306b\u304a\u3044\u3066\u30012FA\u8a2d\u5b9a\u753b\u9762(/admin/two_factor_auth/set)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u306b\u4e0d\u5099\u304c\u3042\u308a\u3002\n\n1. TwoFactorAuthListener.php\n2FA\u8a8d\u8a3c\u30c1\u30a7\u30c3\u30af\u3092\u9664\u5916\u3059\u308b\u30eb\u30fc\u30c8\u8a2d\u5b9a\u306b\u3001\u8a2d\u5b9a\u753b\u9762(admin_two_factor_auth_set)\u304c\u542b\u307e\u308c\u3066\u3044\u308b\u3002\n2. TwoFactorAuthController.php\n\u65e2\u306b2FA\u8a2d\u5b9a\u6e08\u307f\u306e\u30e6\u30fc\u30b6\u30fc\u3067\u3042\u3063\u3066\u3082\u30012FA\u8a8d\u8a3c\u3092\u901a\u904e\u305b\u305a\u306b\u65b0\u3057\u3044\u9375\u306e\u518d\u8a2d\u5b9a(\u4e0a\u66f8\u304d)\u3092\u53d7\u3051\u5165\u308c\u3066\u3057\u307e\u3046\u4ed5\u69d8\u306b\u306a\u3063\u3066\u3044\u308b\u3002\n\n## \u653b\u6483\u306e\u6210\u7acb\u6761\u4ef6\u3068\u624b\u9806\n\n\u524d\u63d0\u6761\u4ef6:\n\u7ba1\u7406\u30e6\u30fc\u30b6\u30fc\u306eID\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u77e5\u3063\u3066\u3044\u308b\u3053\u3068\u3002\n\u305d\u306e\u30e6\u30fc\u30b6\u30fc\u30672FA\u304c\u6709\u52b9\u5316\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u3002\n\n\u653b\u6483\u624b\u9806:\n\n1. ID\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u3067\u30ed\u30b0\u30a4\u30f3\u3092\u8a66\u884c\u3059\u308b\u3002\n2. 2FA\u30b3\u30fc\u30c9\u5165\u529b\u753b\u9762\u304c\u8868\u793a\u3055\u308c\u308b\u304c\u3001\u5165\u529b\u3092\u884c\u308f\u305a\u306b\u76f4\u63a5URL\u3092\u66f8\u304d\u63db\u3048\u3066 /admin/two_factor_auth/set \u3078\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3002\n3. \u30a2\u30af\u30bb\u30b9\u304c\u62d2\u5426\u3055\u308c\u306a\u3044\u305f\u3081\u3001\u653b\u6483\u8005\u306f\u65b0\u3057\u30442FA\u79d8\u5bc6\u9375\u3092\u767a\u884c\u3057\u3001\u4fdd\u5b58(\u4e0a\u66f8\u304d)\u3059\u308b\u3002\n4. \u4ee5\u964d\u3001\u653b\u6483\u8005\u304c\u4f5c\u6210\u3057\u305f\u65b0\u3057\u30442FA\u30b3\u30fc\u30c9\u3092\u4f7f\u3063\u3066\u30ed\u30b0\u30a4\u30f3\u304c\u53ef\u80fd\u306b\u306a\u308b\u3002",
  "id": "GHSA-7rhv-h82h-vpjh",
  "modified": "2026-03-05T21:14:57Z",
  "published": "2026-03-05T21:14:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/EC-CUBE/ec-cube/security/advisories/GHSA-7rhv-h82h-vpjh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/EC-CUBE/ec-cube/commit/094785943bfc3815c29f0cce9dbabb9bcc688474"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/EC-CUBE/ec-cube"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…