|
[Japanese]
|
JVNDB-2021-000035
|
EC-CUBE vulnerable to cross-site scripting
|
|
EC-CUBE provided by EC-CUBE CO.,LTD. contains a cross-site scripting vulnerability (CWE-79).
An arbitrary script may be executed by executing a specific operation on the management page of EC-CUBE.
As of 2021 May 10, an attack exploting this vulnerability has been observed in the wild.
EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 7.1 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
|
|
|
EC-CUBE CO.,LTD.
|
|
|
If a remote attacker injects a specially crafted script in the specific input field of the EC web site which is created using EC-CUBE, an arbitrary script may be executed on the administrator's web browser.
|
|
[Update the Softwere]
Update the software according to the information provided by the developer.
The developer has released the following version that addresses the vulnerability.
*4.0.5-p1
[Apply the Patch]
Apply the hotfix patch according to the information provided by the developer.
|
|
EC-CUBE CO.,LTD.
|
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
|
- CVE-2021-20717
|
|
- JVN : JVN#97554111
- National Vulnerability Database (NVD) : CVE-2021-20717
- IPA SECURITY ALERTS : Regarding cross-site scripting vulnerability in EC-CUBE (JVN#97554111) (in Japanese)
- JPCERT : Alert Regarding Cross Site Scripting Vulnerability (CVE-2021-20717) in EC-CUBE
|
|
- [2021/05/10]
Web page was published
|
