JVNDB-2022-000013

EC-CUBE plugin "Mail Magazine Management Plugin" vulnerable to cross-site request forgery

EC-CUBE plugin "Mail Magazine Management Plugin" provided by EC-CUBE CO.,LTD. contains a cross-site request forgery vulnerability (CWE-352).

Kenta Yamamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

EC-CUBE CO.,LTD.

• Mail Magazine Management Plugin ver4.0.0 to 4.1.1 (for EC-CUBE 4 series)
• Mail Magazine Management Plugin ver1.0.0 to 1.0.4 (for EC-CUBE 3 series)

If a user with an administrative privilege views a malicious page while logged in to EC-CUBE which the plugin is installed, Mail Magazine Templates and/or transmitted history information may be deleted unintendedly.

[Update the plugin]
Update the plugin to the latest version according to the information provided by the developer.
The developer has released the following versions.
* ver4.1.2 (for EC-CUBE 4 series)
* ver1.0.5 (for EC-CUBE 3 series)

EC-CUBE CO.,LTD.

• EC-CUBE : EC-CUBE CO.,LTD. website (in Japanese)

1. Cross-Site Request Forgery(CWE-352) [IPA Evaluation]

1. CVE-2022-21179

1. JVN : JVN#67108459
2. National Vulnerability Database (NVD) : CVE-2022-21179

• [2022/02/22]
    Web page was published
• [2024/06/21]
    References : Content was added