[Japanese]
|
JVNDB-2020-000039
|
EC-CUBE vulnerable to directory traversal
|
EC-CUBE provided by EC-CUBE CO.,LTD. contains a directory traversal vulnerability (CWE-22).
EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 4.3 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity: Base Metrics 3.5 (Low) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: Single Instance
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
EC-CUBE CO.,LTD.
- EC-CUBE 3.0.0 to 3.0.18
- EC-CUBE 4.0.0 to 4.0.3
|
|
A user who can login to the management screen of the product may delete arbitrary files and/or directories on the server.
|
[Update the Software]
The update for EC-CUBE 4 is available. Update the software to the latest version according to the information provided by the developer.
The update for EC-CUBE 3 is not provided but the patch is available instead.
[Apply the Patch]
Patches for EC-CUBE 3 and EC-CUBE 4 are available.
For more information, refer to the information provided by the developer.
|
EC-CUBE CO.,LTD.
|
- Path Traversal(CWE-22) [IPA Evaluation]
|
- CVE-2020-5590
|
- JVN : JVN#77458946
- National Vulnerability Database (NVD) : CVE-2020-5590
|
- [2020/06/18]
Web page was published
|