[Japanese]
|
JVNDB-2023-000019
|
Multiple cross-site scripting vulnerabilities in EC-CUBE
|
EC-CUBE provided by EC-CUBE CO.,LTD. contains multiple cross-site scripting vulnerabilities listed below.
* Cross-site scripting vulnerability in Contents Management (CWE-79) - CVE-2023-22438
* Cross-site scripting vulnerability in Authentication Key Settings (CWE-79) - CVE-2023-25077
* Cross-site scripting vulnerability in Product List Screen and Product Detail Screen (CWE-79) - CVE-2023-22838
CVE-2023-22438
Gaku Mochizuki, Taiga Shirakura of Mitsui Bussan Secure Directions, Inc. and Shiga Takuma of BroadBand Security, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-25077
Noriaki Iwasaki of Cyber Defense Institute, Inc. reported this vulnerability to EC-CUBE CO.,LTD. and EC-CUBE CO.,LTD. Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
CVE-2023-22838
Rei TAKAHASHI of Hashiura Lab., Dept. of Data Science, Nippon Institute of Technology reported this vulnerability to EC-CUBE CO.,LTD. and EC-CUBE CO.,LTD. reported it to JPCERT/CC to notify users of its solution through JVN.
|
CVSS V3 Severity: Base Metrics 5.4 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity: Base Metrics 3.5 (Low) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: Single Instance
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-22438
|
CVSS V3 Severity:
Base Metrics:5.4 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity
Base Metrics: 3.5 (Low) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: Single
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-25077
|
CVSS V3 Severity:
Base Metrics:5.4 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity
Base Metrics: 3.5 (Low) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: Single
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-22838
|
|
EC-CUBE CO.,LTD.
- EC-CUBE 4.0.0 to 4.0.6-p2 (EC-CUBE 4 series) (CVE-2023-22438)
- EC-CUBE 4.1.0 to 4.1.2-p1 (EC-CUBE 4 series) (CVE-2023-22438)
- EC-CUBE 4.2.0 (EC-CUBE 4 series) (CVE-2023-22438)
- EC-CUBE 3.0.0 to 3.0.18-p5 (EC-CUBE 3 series) (CVE-2023-22438)
- EC-CUBE 2.11.0 to 2.11.5 (EC-CUBE 2 series) (CVE-2023-22438)
- EC-CUBE 2.12.0 to 2.12.6 (EC-CUBE 2 series) (CVE-2023-22438)
- EC-CUBE 2.13.0 to 2.13.5 (EC-CUBE 2 series) (CVE-2023-22438)
- EC-CUBE 2.17.0 to 2.17.2 (EC-CUBE 2 series) (CVE-2023-22438)
- EC-CUBE 4.0.0 to 4.0.6-p2 (EC-CUBE 4 series) (CVE-2023-25077, CVE-2023-22838)
- EC-CUBE 4.1.0 to 4.1.2-p1 (EC-CUBE 4 series) (CVE-2023-25077, CVE-2023-22838)
- EC-CUBE 4.2.0 (EC-CUBE 4 series) (CVE-2023-25077, CVE-2023-22838)
|
|
* An arbitrary script may be executed on the web browser of the user who is accessing the administrative page of the product - CVE-2023-22438, CVE-2023-25077
* An arbitrary script may be executed on the web browser of the user who is accessing a website that uses the product - CVE-2023-22838
|
[Update the software]
Update the software according to the information provided by the developer.
The developer has released EC-CUBE 4.2.1 that addresses these vulnerabilities.
[Apply the Workaround]
If an update cannot be applied, the developer recommends users applying the patches.
For more information, refer to the information provided by the developer.
|
EC-CUBE CO.,LTD.
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
- CVE-2023-22438
- CVE-2023-25077
- CVE-2023-22838
|
- JVN : JVN#04785663
- National Vulnerability Database (NVD) : CVE-2023-22438
- National Vulnerability Database (NVD) : CVE-2023-22838
- National Vulnerability Database (NVD) : CVE-2023-25077
|
- [2023/02/28]
Web page was published
- [2024/06/10]
References : Contents were added
|