[Japanese]
|
JVNDB-2021-000057
|
Multiple cross-site scripting vulnerabilities in EC-CUBE
|
EC-CUBE provided by EC-CUBE CO.,LTD. contains multiple cross-site scripting vulnerabilities listed below.
*Cross-site scripting vulnerability (CWE-79) - CVE-2021-20750
*Cross-site scripting vulnerability (CWE-79) - CVE-2021-20751
hibiki moriyama of STNet, Incorporated reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 6.1 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity: Base Metrics 2.6 (Low) [IPA Score]
- Access Vector: Network
- Access Complexity: High
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20750
|
CVSS V3 Severity:
Base Metrics:
6.1 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
2.6 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20751
|
|
EC-CUBE CO.,LTD.
- EC-CUBE 3.0.0 to 3.0.18-p2 (EC-CUBE 3 series) (CVE-2021-20750)
- EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) (CVE-2021-20750)
- EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) (CVE-2021-20751)
|
|
The expected impact depends on each vulnerability, but it may be affected as follows.
*If a remote attacker leads an administrator of the product to a specially crafted page and to perform a specific operation, an arbitrary script may be executed on the administrator's web browser - CVE-2021-20750
*If a remote attacker leads an administrator or a user of the product to a specially crafted page and to perform a specific operation, an arbitrary script may be executed on the administrator's or the user's web browser - CVE-2021-20751
|
[Update the software]
An update is available for EC-CUBE 4 series.
Update to the latest version according to the information provided by the developer.
For EC-CUBE 3 series, there is no update but a patch is available.
[Apply the patch]
Patches are available for both EC-CUBE 3 and EC-CUBE 4 series.
For more information, refer to the information provided by the developer.
|
EC-CUBE CO.,LTD.
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
- CVE-2021-20750
- CVE-2021-20751
|
- JVN : JVN#95292458
- National Vulnerability Database (NVD) : CVE-2021-20750
- National Vulnerability Database (NVD) : CVE-2021-20751
|
- [2021/06/23]
Web page was published
|