|
[Japanese]
|
JVNDB-2023-000107
|
EC-CUBE 3 series and 4 series vulnerable to arbitrary code execution
|
|
EC-CUBE 3 series and 4 series provided by EC-CUBE CO.,LTD. contain an arbitrary code execution vulnerability (CWE-94) due to improper settings of the product's template engine "Twig".
Takeshi Miura of N.F.Laboratories Inc. reported this vulnerability to EC-CUBE CO.,LTD.
EC-CUBE CO.,LTD. Inc. reported this case to JPCERT/CC to notify users of its solution through JVN.
|
|
CVSS V3 Severity:
Base Metrics 7.2 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.5 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
|
|
|
EC-CUBE CO.,LTD.
- EC-CUBE EC-CUBE 4.0.0 to 4.0.6-p3 (EC-CUBE 4 series)
- EC-CUBE EC-CUBE 4.1.0 to 4.1.2-p2 (EC-CUBE 4 series)
- EC-CUBE EC-CUBE 4.2.0 to 4.2.2 (EC-CUBE 4 series)
- EC-CUBE EC-CUBE 3.0.0 to 3.0.18-p6 (EC-CUBE 3 series)
|
|
|
Arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.
|
|
[Update the software]
Update the software according to the information provided by the developer.
The developer has released EC-CUBE 4.2.3 that addresses this vulnerability.
[Apply the Workaround]
The developer has released the patches for the users who cannot apply the update.
For more information, refer to the information provided by the developer.
|
|
EC-CUBE CO.,LTD.
|
|
- Code Injection(CWE-94) [IPA Evaluation]
|
|
- CVE-2023-46845
|
|
- JVN : JVN#29195731
|
|
- [2023/11/07]
Web page was published
|
