[Japanese]

JVNDB-2017-000056

CS-Cart Japanese Edition fails to restrict access permissions

Overview

CS-Cart is a system for creating online shopping websites. CS-Cart Japanese Edition fails to restrict access permissions (CWE-425).

Hirota Kazuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Simtech Ltd.
  • CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3)
  • CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3)

Impact

An unauthenticated remote attacker may obtain consumer's information such as its name and street address registered in the website.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.
Vendor Information

Simtech Ltd.
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2017-2139
References

  1. JVN : JVN#14396697
  2. National Vulnerability Database (NVD) : CVE-2017-2139
Revision History

  • [2017/04/10]
      Web page was published
    [2017/06/01]
      References : Content was added

Date Public2017/04/06
Date First Published2017/04/10
Date Last Updated2017/06/01