[Japanese]

JVNDB-2021-000083

EC-CUBE plugin "Order Status Batch Change Plug-in" vulnerable to cross-site scripting

Overview

EC-CUBE plugin "Order Status Batch Change Plug-in" provided by ActiveFusions Co., Ltd. contains a cross-site scripting vulnerability (CWE-79).
An arbitrary script may be executed by conducting a specific operation on the management page of EC-CUBE.

ActiveFusions Co., Ltd. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and ActiveFusions Co., Ltd. coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


ActiveFusions Co., Ltd.
  • Order Status Batch Change Plug-in (for EC-CUBE 3.0 series) all versions

Impact

If a remote attacker injects a specially crafted script in the specific input field of the EC web site which is created using the plugin, an arbitrary script may be executed on the administrator's web browser.
Solution

[Stop using "Order Status Batch Change Plug-in]
The developer states the plugin is no longer developed and supported, therefore stop using the plugin.
Vendor Information

ActiveFusions Co., Ltd.
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20828
References

  1. JVN : JVN#23406150
  2. National Vulnerability Database (NVD) : CVE-2021-20828
Revision History

  • [2021/09/16]
      Web page was published