EC-CUBE 3 series and 4 series vulnerable to arbitrary code execution


EC-CUBE 3 series and 4 series provided by EC-CUBE CO.,LTD. contain an arbitrary code execution vulnerability (CWE-94) due to improper settings of the product's template engine "Twig".

Takeshi Miura of N.F.Laboratories Inc. reported this vulnerability to EC-CUBE CO.,LTD.
EC-CUBE CO.,LTD. Inc. reported this case to JPCERT/CC to notify users of its solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.2 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.5 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

  • EC-CUBE EC-CUBE 4.0.0 to 4.0.6-p3 (EC-CUBE 4 series)
  • EC-CUBE EC-CUBE 4.1.0 to 4.1.2-p2 (EC-CUBE 4 series)
  • EC-CUBE EC-CUBE 4.2.0 to 4.2.2 (EC-CUBE 4 series)
  • EC-CUBE EC-CUBE 3.0.0 to 3.0.18-p6 (EC-CUBE 3 series)


Arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.

[Update the software]
Update the software according to the information provided by the developer.
The developer has released EC-CUBE 4.2.3 that addresses this vulnerability.

[Apply the Workaround]
The developer has released the patches for the users who cannot apply the update.
For more information, refer to the information provided by the developer.
Vendor Information

CWE (What is CWE?)

  1. Code Injection(CWE-94) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2023-46845

  1. JVN : JVN#29195731
  2. National Vulnerability Database (NVD) : CVE-2023-46845
Revision History

  • [2023/11/07]
      Web page was published
  • [2024/05/09]
      References : Content was added