EC-Orange vulnerable to authorization bypass


EC-Orange provided by S-cubism Inc. is an e-commerce website building system package based on an open source software EC-CUBE.
EC-Orange contains an authorization bypass vulnerability (CWE-639).
This is the same issue as JVN#51770585 (EC-CUBE vulnerable to authorization bypass).

This vulnerability was reported on July 2015.
The coordination with the developer was resumed on December 2023, and this JVN publication was agreed upon.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
Affected Products

S-cubism Inc.
  • EC-Orange Systems deployed before June 29th, 2015


A user of the affected shopping website may obtain other users' information by sending a crafted HTTP request.

[Update the Software or Apply the Patch]
Update the software to the latest version or apply the patch according to the information provided by the developer.
For the systems deployed after June 29th, 2015, the issue has been already resolved.
Vendor Information

S-cubism Inc.
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-0808

  1. JVN : JVN#15637138
  2. JVN : EC-CUBE vulnerable to authorization bypass
  3. National Vulnerability Database (NVD) : CVE-2014-0808
Revision History

  • [2024/05/29]
      Web page was published