|
[Japanese]
|
JVNDB-2021-000049
|
Multiple ETUNA EC-CUBE plugins vulnerable to cross-site scripting
|
|
Multiple EC-CUBE plugins provided by ETUNA contain a cross-site scripting vulnerability (CWE-79).
An arbitrary script may be executed by executing a specific operation on the management page of EC-CUBE.
As of 2021 June 15, an attack exploting this vulnerability has been observed in the wild.
Yoshimitsu Kato of Asterisk Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
|
ETUNA
- Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier
- Delivery slip number plugin (3.0 series) 1.0.10 and earlier
- Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier
|
|
|
An arbitrary script may be executed on the web browser of the user who is accessing the administrative page of the affected product.
|
|
[Update the software]
Update to the latest version according to the information provided by the developer.
|
|
ETUNA
|
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
|
- CVE-2021-20735
|
|
- JVN : JVN#79254445
- National Vulnerability Database (NVD) : CVE-2021-20735
- JPCERT : Alert Regarding Cross Site Scripting Vulnerabilities in Multiple EC-CUBE 3.0 Series Plugins
|
|
- [2021/06/15]
Web page was published
- [2021/06/16]
References : Content was added
|
