|
[Japanese]
|
JVNDB-2022-000015
|
EC-CUBE improperly handles HTTP Host header values
|
|
EC-CUBE provided by EC-CUBE CO.,LTD. improperly handles HTTP Host header values (CWE-913).
EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 3.1 (Low) [IPA Score]
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
- Access Vector: Network
- Access Complexity: High
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
|
EC-CUBE CO.,LTD.
- EC-CUBE 3.0.0 to 3.0.18-p3 (EC-CUBE 3 series)
- EC-CUBE 4.0.0 to 4.1.1 (EC-CUBE 4 series)
|
|
|
A remote attacker may direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users.
|
|
[Apply Workaround]
Apply the following workaround to avoid the impacts of this vulnerability.
* Set TRUSTED_HOSTS
For more information, refer to the information provided by the developer.
[Update the software and add the settings]
The developer has released EC-CUBE 4.1.2 (for EC-CUBE 4 series) which provides the user interface to configure TRUSTED_HOSTS.
Configure TRUSTED_HOSTS from [Admin Console > Settings > System Settings > Security].
According to the developer, TRUSTED_HOSTS is automatically configured when EC-CUBE 4.1.2 is newly installed.
|
|
EC-CUBE CO.,LTD.
|
|
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2022-25355
|
|
- JVN : JVN#53871926
|
|
- [2022/02/22]
Web page was published
|
