|
[Japanese]
|
JVNDB-2008-000064
|
EC-CUBE cross-site scripting vulnerability
|
|
EC-CUBE provided by LOCKON CO.,LTD. contains a cross-site scripting vulnerability.
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a cross-site scripting vulnerability.
This vulnerability is different from JVN#61543834, JVN#26621646, and JVN#36085487.
Yuya Yoshida of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under Information Security Early Warning Partnership.
|
|
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
|
LOCKON CO.,LTD
- EC-CUBE Ver2 Version 2.1.2a and earlier
- EC-CUBE (community) Nighly-Build r17623 and earlier
- EC-CUBE Ver2 Beta(RC) Version 2.2.0-beta and earlier
|
|
|
An arbitrary script could be executed on the user's web browser.
|
|
[Update the Software]
Apply the latest updates provided by the vendor.
|
|
LOCKON CO.,LTD
|
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
|
- CVE-2008-4535
|
|
- JVN : JVN#99916563
- National Vulnerability Database (NVD) : CVE-2008-4535
- IPA SECURITY ALERTS : 200907_ec-cube (Japanese)
- Secunia Advisory : SA32065
- JVN iPedia (Japanese) : JVNDB-2008-000064
|
|
- [2008/10/01]
Web page published
|
