|
[Japanese]
|
JVNDB-2018-000035
|
EC-CUBE vulnerable to session fixation
|
|
EC-CUBE provided by LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a session fixation vulnerability (CWE-384).
LOCKON CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LOCKON CO.,LTD. coordinated under the Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 4.2 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.8 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: None
|
|
|
LOCKON CO.,LTD
- EC-CUBE 3.0.0
- EC-CUBE 3.0.1
- EC-CUBE 3.0.2
- EC-CUBE 3.0.3
- EC-CUBE 3.0.4
- EC-CUBE 3.0.5
- EC-CUBE 3.0.6
- EC-CUBE 3.0.7
- EC-CUBE 3.0.8
- EC-CUBE 3.0.9
- EC-CUBE 3.0.10
- EC-CUBE 3.0.11
- EC-CUBE 3.0.12
- EC-CUBE 3.0.12-p1
- EC-CUBE 3.0.13
- EC-CUBE 3.0.14
- EC-CUBE 3.0.15
|
|
|
A remote attacker impersonating a logged in user may perform an unintended operation with the user's privilege.
|
|
[Update the Software or Update source code]
Apply either of the measures listed below according to the information provided by the developer.
*Update the software to the latest version
*Update source code by applying the difference file provided by the developer
|
|
LOCKON CO.,LTD
|
|
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2018-0564
|
|
- JVN : JVN#52695336
- National Vulnerability Database (NVD) : CVE-2018-0564
|
|
- [2018/04/17]
Web page was published
- [2018/08/22]
References : Contents were added
|
