JVNDB-2008-000065

[Japanese]
JVNDB-2008-000065
EC-CUBE vulnerable to SQL injection
Overview
EC-CUBE provided by LOCKON CO.,LTD. contains a SQL injection vulnerability. EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a SQL injection vulnerability.
CVSS Severity (What is CVSS?)
CVSS V2 Severity: Base Metrics 7.5 (High) [IPA Score] Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
Affected Products

LOCKON CO.,LTD EC-CUBE Ver2 Version 2.1.2a and earlier EC-CUBE Ver2 RC Version 2.3.0-rc1 and earlier

Impact
An remote attacker could obtain the website administrator's privilege which was created using EC-CUBE.
Solution
[Update the Software] Apply the latest updates provided by the vendor.
Vendor Information
LOCKON CO.,LTD LOCKON CO.,LTD : 2008/10/01 (Japanese) LOCKON CO.,LTD : news_id=100 (Japanese)
CWE (What is CWE?)
SQL Injection(CWE-89) [IPA Evaluation]
CVE (What is CVE?)
CVE-2008-4534
References
JVN : JVN#81111541 National Vulnerability Database (NVD) : CVE-2008-4534 IPA SECURITY ALERTS : 200907_ec-cube (Japanese) IPA SECURITY ALERTS : Security Alert for EC-CUBE Vulnerability Secunia Advisory : SA32065 JVN iPedia (Japanese) : JVNDB-2008-000065
Revision History
[2008/10/01] Web page published

EC-CUBE vulnerable to SQL injection