[Japanese]
|
JVNDB-2011-000087
|
EC-CUBE vulnerable to SQL injection
|
EC-CUBE contains a SQL injection vulnerability.
EC-CUBE provided by LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains an issue in assembling SQL statements, leading to a SQL injection vulnerability.
This vulnerability is different from JVN#81111541 and JVN#19072922.
Tsukada Nobuhisa of Seasoft reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V2 Severity: Base Metrics 5.0 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: None
- Availability Impact: None
|
|
LOCKON CO.,LTD
- EC-CUBE Ver 2.11.0 through 2.11.2
|
|
A remote, unauthenticated attacker may view contents stored by EC-CUBE.
|
[Update the Software]
Update to the latest version according to the information provided by the developer.
|
LOCKON CO.,LTD
|
- SQL Injection(CWE-89) [IPA Evaluation]
|
- CVE-2011-3988
|
- JVN : JVN#44496332
- National Vulnerability Database (NVD) : CVE-2011-3988
- IPA SECURITY ALERTS : Security Alert for Vulnerability in EC-CUBE
|
- [2011/10/14]
Web page published
|