[Japanese]
|
JVNDB-2020-000080
|
Multiple vulnerabilities in EC-CUBE
|
EC-CUBE provided by EC-CUBE CO.,LTD. contains multiple vulnerabilities listed below.
* Clickjacking attacks (CWE-1021) - CVE-2020-5679
* Improper input validation (CWE-20) - CVE-2020-5680
EC-CUBE CO.,LTD. reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 5.3 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
CVSS V2 Severity: Base Metrics 5.0 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2020-5680
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
2.6 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2020-5679
|
|
EC-CUBE CO.,LTD.
- EC-CUBE versions from 3.0.0 to 3.0.18 (CVE-2020-5679)
- EC-CUBE versions from 3.0.5 to 3.0.18 (CVE-2020-5680)
|
|
* If a user views a malicious page while logged in, unintended operations may be conducted - CVE-2020-5679
* A remote attacker may be able to cause a denial-of-service (DoS) condition - CVE-2020-5680
|
[Apply the patch]
Apply the appropriate patch according to the information provided by the developer.
|
EC-CUBE CO.,LTD.
|
- Improper Input Validation(CWE-20) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
- CVE-2020-5679
- CVE-2020-5680
|
- JVN : JVN#24457594
- National Vulnerability Database (NVD) : CVE-2020-5679
- National Vulnerability Database (NVD) : CVE-2020-5680
|
- [2020/12/03]
Web page was published
|