|
[Japanese]
|
JVNDB-2026-000033
|
EC-CUBE vulnerable to multi-factor authentication bypass
|
|
EC-CUBE provided by EC-CUBE CO.,LTD. contains the following vulnerability.- Authentication bypass using an alternate path or channel (CWE-288) - CVE-2026-30777
EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 4.9 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
|
CVSS v4 Severity
Base Metrics: 6.9 (Medium) [IPA Score]
- Access Vector (AV): Network
- Attack Complexity (AC): Low
- Attack Requirements (AT): None
- Privileges Required (PR): High
- User Interaction (UI): None
Vulnerable System Impact
- Confidentiality Impact (VC): None
- Integrity Impact (VI): High
- Availability Impact (VA): None
Subsequent System Impact
- Confidentiality Impact (SC): None
- Integrity Impact (SI): None
- Availability Impact (SA): None
|
|
|
EC-CUBE CO.,LTD.
- EC-CUBE 4.1 series versions prior to 4.1.2-p5
- EC-CUBE 4.2 series versions prior to 4.2.3-p2
- EC-CUBE 4.3 series versions prior to 4.3.1-p1
|
|
|
An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page.
|
|
[Apply the patches]
Apply the appropriate patch according to the information provided by the developer.
|
|
EC-CUBE CO.,LTD.
|
|
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2026-30777
|
|
- JVN : JVN#63765888
|
|
- [2026/03/05]
Web page was published
|
