[Japanese]

JVNDB-2017-000056

CS-Cart Japanese Edition fails to restrict access permissions

Overview

CS-Cart is a system for creating online shopping websites. CS-Cart Japanese Edition fails to restrict access permissions (CWE-425).

Hirota Kazuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None

CVSS V3 Severity:
Base Metrics: 5.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Simtech Ltd.
  • CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3)
  • CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3)

Impact

An unauthenticated remote attacker may obtain consumer's information such as its name and street address registered in the website.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.
Vendor Information

Simtech Ltd.
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2017-2139
References

  1. JVN : JVN#14396697
Revision History

[2017/04/10]
  Web page was published