|
[Japanese]
|
JVNDB-2021-000051
|
Multiple cross-site scripting vulnerabilities in multiple EC-CUBE plugins provided by EC-CUBE
|
|
Multiple EC-CUBE plugins provided by EC-CUBE CO.,LTD. contain multiple cross-site scripting vulnerabilities listed below.
*Cross-site scripting vulnerability (CWE-79) - CVE-2021-20742
*Cross-site scripting vulnerability (CWE-79) - CVE-2021-20743
*Cross-site scripting vulnerability (CWE-79) - CVE-2021-20744
EC-CUBE CO.,LTD. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 7.1 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2021-20742
|
CVSS V3 Severity:
Base Metrics:
6.1 (Medium) [JPCERT/CC Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
2.6 (Low)
[JPCERT/CC Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20743
|
CVSS V3 Severity:
Base Metrics:
6.1 (Medium) [JPCERT/CC Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
2.6 (Low)
[JPCERT/CC Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20744
|
|
|
EC-CUBE CO.,LTD.
- Category contents plugin (for EC-CUBE 3.0 series) versions prior to version 1.0.1
- Mail Magazine Management Plugin (for EC-CUBE 3.0 series) versions prior to version 1.0.4
- Business form output plugin (for EC-CUBE 3.0 series) versions prior to version 1.0.1
|
The developer states these issues exist in EC-CUBE 3.0.0 to 3.0.8 environment only, and do not exist in EC-CUBE 3.0.9 or later environment.
|
|
*If a remote attacker injects a specially crafted script in the specific input field of the EC web site which is created using EC-CUBE, an arbitrary script may be executed on the administrator's web browser - CVE-2021-20742
*If a remote attacker leads a user of the product to a specially crafted page and to perform a specific operation, an arbitrary script may be executed on the user's web browser - CVE-2021-20743
*If a remote attacker leads an administrator or a user of the product to a specially crafted page and to perform a specific operation, an arbitrary script may be executed on the administrator's or the user's web browser - CVE-2021-20744
|
|
[Update the plugin]
Update the plugin to the latest version according to the information provided by the developer.
|
|
EC-CUBE CO.,LTD.
|
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
|
- CVE-2021-20742
- CVE-2021-20743
- CVE-2021-20744
|
|
- JVN : JVN#57524494
- National Vulnerability Database (NVD) : CVE-2021-20742
- National Vulnerability Database (NVD) : CVE-2021-20743
- National Vulnerability Database (NVD) : CVE-2021-20744
- JPCERT : Alert Regarding Cross Site Scripting Vulnerabilities in Multiple EC-CUBE 3.0 Series Plugins
|
|
- [2021/06/16]
Web page was published
|
