Search

Find a vulnerability

Search criteria

    10 vulnerabilities found for EC-CUBE 4 series by EC-CUBE CO.,LTD.

    CVE-2024-41924 (GCVE-0-2024-41924)

    Vulnerability from nvd – Published: 2024-07-30 08:45 – Updated: 2025-03-18 18:30
    VLAI
    Summary
    Acceptance of extraneous untrusted data with trusted data vulnerability exists in EC-CUBE 4 series. If this vulnerability is exploited, an attacker who obtained the administrative privilege may install an arbitrary PHP package. If the obsolete versions of PHP packages are installed, the product may be affected by some known vulnerabilities.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Acceptance of extraneous untrusted data with trusted data
    • CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data
    Assigner
    Impacted products
    Vendor Product Version
    EC-CUBE CO.,LTD. EC-CUBE 4 series Affected: 4.0.0 to 4.0.6-p4
    Affected: 4.1.0 to 4.1.2-p3
    Affected: and 4.2.0 to 4.2.3
    Create a notification for this product.
    ec-cube ec-cube Affected: 4.0.0 , ≤ 4.0.6-p4 (custom)
        cpe:2.3:a:ec-cube:ec-cube:4.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    ec-cube ec-cube Affected: 4.1.0 , ≤ 4.1.2-p3 (custom)
        cpe:2.3:a:ec-cube:ec-cube:4.1.0:*:*:*:*:*:*:*
    Create a notification for this product.
    ec-cube ec-cube Affected: 4.2.0 , ≤ 4.2.3 (custom)
        cpe:2.3:a:ec-cube:ec-cube:4.2.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:ec-cube:ec-cube:4.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ec-cube",
                "vendor": "ec-cube",
                "versions": [
                  {
                    "lessThanOrEqual": "4.0.6-p4",
                    "status": "affected",
                    "version": "4.0.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:ec-cube:ec-cube:4.1.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ec-cube",
                "vendor": "ec-cube",
                "versions": [
                  {
                    "lessThanOrEqual": "4.1.2-p3",
                    "status": "affected",
                    "version": "4.1.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:ec-cube:ec-cube:4.2.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ec-cube",
                "vendor": "ec-cube",
                "versions": [
                  {
                    "lessThanOrEqual": "4.2.3",
                    "status": "affected",
                    "version": "4.2.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.2,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-41924",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-30T15:09:19.816048Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-349",
                    "description": "CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-18T18:30:25.776Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T04:54:31.275Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.ec-cube.net/info/weakness/20240701/index.php"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN48324254/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "EC-CUBE 4 series",
              "vendor": "EC-CUBE CO.,LTD.",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.0.0 to 4.0.6-p4"
                },
                {
                  "status": "affected",
                  "version": "4.1.0 to 4.1.2-p3"
                },
                {
                  "status": "affected",
                  "version": "and 4.2.0 to 4.2.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Acceptance of extraneous untrusted data with trusted data vulnerability exists in EC-CUBE 4 series. If this vulnerability is exploited, an attacker who obtained the administrative privilege may install an arbitrary PHP package. If the obsolete versions of PHP packages are installed, the product may be affected by some known vulnerabilities."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Acceptance of extraneous untrusted data with trusted data",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-30T08:45:48.496Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.ec-cube.net/info/weakness/20240701/index.php"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN48324254/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-41924",
        "datePublished": "2024-07-30T08:45:48.496Z",
        "dateReserved": "2024-07-24T06:07:32.248Z",
        "dateUpdated": "2025-03-18T18:30:25.776Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-46845 (GCVE-0-2023-46845)

    Vulnerability from nvd – Published: 2023-11-07 07:39 – Updated: 2024-09-04 20:28
    VLAI
    Summary
    EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Code injection
    Assigner
    Impacted products
    Vendor Product Version
    EC-CUBE CO.,LTD. EC-CUBE 4 series Affected: 4.0.0 to 4.0.6-p3
    Affected: 4.1.0 to 4.1.2-p2
    Affected: and 4.2.0 to 4.2.2
    Create a notification for this product.
    EC-CUBE CO.,LTD. EC-CUBE 3 series Affected: 3.0.0 to 3.0.18-p6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T20:53:21.888Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.ec-cube.net/info/weakness/20231026/index_40.php"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.ec-cube.net/info/weakness/20231026/index.php"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.ec-cube.net/info/weakness/20231026/index_3.php"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN29195731/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-46845",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-04T20:27:53.327326Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-04T20:28:15.713Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "EC-CUBE 4 series",
              "vendor": "EC-CUBE CO.,LTD.",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.0.0 to 4.0.6-p3"
                },
                {
                  "status": "affected",
                  "version": " 4.1.0 to 4.1.2-p2"
                },
                {
                  "status": "affected",
                  "version": " and 4.2.0 to 4.2.2"
                }
              ]
            },
            {
              "product": "EC-CUBE 3 series",
              "vendor": "EC-CUBE CO.,LTD.",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.0.0 to 3.0.18-p6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Code injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-07T07:39:57.896Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.ec-cube.net/info/weakness/20231026/index_40.php"
            },
            {
              "url": "https://www.ec-cube.net/info/weakness/20231026/index.php"
            },
            {
              "url": "https://www.ec-cube.net/info/weakness/20231026/index_3.php"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN29195731/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-46845",
        "datePublished": "2023-11-07T07:39:57.896Z",
        "dateReserved": "2023-10-27T08:05:25.926Z",
        "dateUpdated": "2024-09-04T20:28:15.713Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-25077 (GCVE-0-2023-25077)

    Vulnerability from nvd – Published: 2023-03-05 00:00 – Updated: 2025-03-06 15:59
    VLAI
    Summary
    Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting
    Assigner
    Impacted products
    Vendor Product Version
    EC-CUBE CO.,LTD. EC-CUBE 4 series Affected: EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:11:43.452Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.ec-cube.net/info/weakness/20230214/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN04785663/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-25077",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-06T15:59:18.281604Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-06T15:59:31.592Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "EC-CUBE 4 series",
              "vendor": "EC-CUBE CO.,LTD.",
              "versions": [
                {
                  "status": "affected",
                  "version": "EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-05T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.ec-cube.net/info/weakness/20230214/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN04785663/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-25077",
        "datePublished": "2023-03-05T00:00:00.000Z",
        "dateReserved": "2023-02-17T00:00:00.000Z",
        "dateUpdated": "2025-03-06T15:59:31.592Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-22838 (GCVE-0-2023-22838)

    Vulnerability from nvd – Published: 2023-03-05 00:00 – Updated: 2025-03-06 16:02
    VLAI
    Summary
    Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting
    Assigner
    Impacted products
    Vendor Product Version
    EC-CUBE CO.,LTD. EC-CUBE 4 series Affected: EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:20:31.054Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.ec-cube.net/info/weakness/20230214/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN04785663/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-22838",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-06T16:01:51.762350Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-06T16:02:05.314Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "EC-CUBE 4 series",
              "vendor": "EC-CUBE CO.,LTD.",
              "versions": [
                {
                  "status": "affected",
                  "version": "EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-05T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.ec-cube.net/info/weakness/20230214/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN04785663/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-22838",
        "datePublished": "2023-03-05T00:00:00.000Z",
        "dateReserved": "2023-02-17T00:00:00.000Z",
        "dateUpdated": "2025-03-06T16:02:05.314Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-38975 (GCVE-0-2022-38975)

    Vulnerability from nvd – Published: 2022-09-27 01:55 – Updated: 2025-05-21 18:24
    VLAI
    Summary
    DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    EC-CUBE CO.,LTD. EC-CUBE 4 series Affected: EC-CUBE 4.0.0 to 4.1.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T11:10:32.098Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.ec-cube.net/info/weakness/20220909/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN21213852/index.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-38975",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-21T18:23:58.811469Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-21T18:24:22.908Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "EC-CUBE 4 series",
              "vendor": "EC-CUBE CO.,LTD.",
              "versions": [
                {
                  "status": "affected",
                  "version": "EC-CUBE 4.0.0 to 4.1.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-27T01:55:16.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.ec-cube.net/info/weakness/20220909/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jvn.jp/en/jp/JVN21213852/index.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vultures@jpcert.or.jp",
              "ID": "CVE-2022-38975",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "EC-CUBE 4 series",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "EC-CUBE 4.0.0 to 4.1.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "EC-CUBE CO.,LTD."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-site scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.ec-cube.net/info/weakness/20220909/",
                  "refsource": "MISC",
                  "url": "https://www.ec-cube.net/info/weakness/20220909/"
                },
                {
                  "name": "https://jvn.jp/en/jp/JVN21213852/index.html",
                  "refsource": "MISC",
                  "url": "https://jvn.jp/en/jp/JVN21213852/index.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2022-38975",
        "datePublished": "2022-09-27T01:55:16.000Z",
        "dateReserved": "2022-09-09T00:00:00.000Z",
        "dateUpdated": "2025-05-21T18:24:22.908Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-41924 (GCVE-0-2024-41924)

    Vulnerability from cvelistv5 – Published: 2024-07-30 08:45 – Updated: 2025-03-18 18:30
    VLAI
    Summary
    Acceptance of extraneous untrusted data with trusted data vulnerability exists in EC-CUBE 4 series. If this vulnerability is exploited, an attacker who obtained the administrative privilege may install an arbitrary PHP package. If the obsolete versions of PHP packages are installed, the product may be affected by some known vulnerabilities.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Acceptance of extraneous untrusted data with trusted data
    • CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data
    Assigner
    Impacted products
    Vendor Product Version
    EC-CUBE CO.,LTD. EC-CUBE 4 series Affected: 4.0.0 to 4.0.6-p4
    Affected: 4.1.0 to 4.1.2-p3
    Affected: and 4.2.0 to 4.2.3
    Create a notification for this product.
    ec-cube ec-cube Affected: 4.0.0 , ≤ 4.0.6-p4 (custom)
        cpe:2.3:a:ec-cube:ec-cube:4.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    ec-cube ec-cube Affected: 4.1.0 , ≤ 4.1.2-p3 (custom)
        cpe:2.3:a:ec-cube:ec-cube:4.1.0:*:*:*:*:*:*:*
    Create a notification for this product.
    ec-cube ec-cube Affected: 4.2.0 , ≤ 4.2.3 (custom)
        cpe:2.3:a:ec-cube:ec-cube:4.2.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:ec-cube:ec-cube:4.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ec-cube",
                "vendor": "ec-cube",
                "versions": [
                  {
                    "lessThanOrEqual": "4.0.6-p4",
                    "status": "affected",
                    "version": "4.0.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:ec-cube:ec-cube:4.1.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ec-cube",
                "vendor": "ec-cube",
                "versions": [
                  {
                    "lessThanOrEqual": "4.1.2-p3",
                    "status": "affected",
                    "version": "4.1.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:ec-cube:ec-cube:4.2.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ec-cube",
                "vendor": "ec-cube",
                "versions": [
                  {
                    "lessThanOrEqual": "4.2.3",
                    "status": "affected",
                    "version": "4.2.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.2,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-41924",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-30T15:09:19.816048Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-349",
                    "description": "CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-18T18:30:25.776Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T04:54:31.275Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.ec-cube.net/info/weakness/20240701/index.php"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN48324254/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "EC-CUBE 4 series",
              "vendor": "EC-CUBE CO.,LTD.",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.0.0 to 4.0.6-p4"
                },
                {
                  "status": "affected",
                  "version": "4.1.0 to 4.1.2-p3"
                },
                {
                  "status": "affected",
                  "version": "and 4.2.0 to 4.2.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Acceptance of extraneous untrusted data with trusted data vulnerability exists in EC-CUBE 4 series. If this vulnerability is exploited, an attacker who obtained the administrative privilege may install an arbitrary PHP package. If the obsolete versions of PHP packages are installed, the product may be affected by some known vulnerabilities."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Acceptance of extraneous untrusted data with trusted data",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-30T08:45:48.496Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.ec-cube.net/info/weakness/20240701/index.php"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN48324254/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-41924",
        "datePublished": "2024-07-30T08:45:48.496Z",
        "dateReserved": "2024-07-24T06:07:32.248Z",
        "dateUpdated": "2025-03-18T18:30:25.776Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-46845 (GCVE-0-2023-46845)

    Vulnerability from cvelistv5 – Published: 2023-11-07 07:39 – Updated: 2024-09-04 20:28
    VLAI
    Summary
    EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Code injection
    Assigner
    Impacted products
    Vendor Product Version
    EC-CUBE CO.,LTD. EC-CUBE 4 series Affected: 4.0.0 to 4.0.6-p3
    Affected: 4.1.0 to 4.1.2-p2
    Affected: and 4.2.0 to 4.2.2
    Create a notification for this product.
    EC-CUBE CO.,LTD. EC-CUBE 3 series Affected: 3.0.0 to 3.0.18-p6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T20:53:21.888Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.ec-cube.net/info/weakness/20231026/index_40.php"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.ec-cube.net/info/weakness/20231026/index.php"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.ec-cube.net/info/weakness/20231026/index_3.php"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN29195731/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-46845",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-04T20:27:53.327326Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-04T20:28:15.713Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "EC-CUBE 4 series",
              "vendor": "EC-CUBE CO.,LTD.",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.0.0 to 4.0.6-p3"
                },
                {
                  "status": "affected",
                  "version": " 4.1.0 to 4.1.2-p2"
                },
                {
                  "status": "affected",
                  "version": " and 4.2.0 to 4.2.2"
                }
              ]
            },
            {
              "product": "EC-CUBE 3 series",
              "vendor": "EC-CUBE CO.,LTD.",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.0.0 to 3.0.18-p6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Code injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-07T07:39:57.896Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.ec-cube.net/info/weakness/20231026/index_40.php"
            },
            {
              "url": "https://www.ec-cube.net/info/weakness/20231026/index.php"
            },
            {
              "url": "https://www.ec-cube.net/info/weakness/20231026/index_3.php"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN29195731/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-46845",
        "datePublished": "2023-11-07T07:39:57.896Z",
        "dateReserved": "2023-10-27T08:05:25.926Z",
        "dateUpdated": "2024-09-04T20:28:15.713Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-25077 (GCVE-0-2023-25077)

    Vulnerability from cvelistv5 – Published: 2023-03-05 00:00 – Updated: 2025-03-06 15:59
    VLAI
    Summary
    Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting
    Assigner
    Impacted products
    Vendor Product Version
    EC-CUBE CO.,LTD. EC-CUBE 4 series Affected: EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:11:43.452Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.ec-cube.net/info/weakness/20230214/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN04785663/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-25077",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-06T15:59:18.281604Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-06T15:59:31.592Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "EC-CUBE 4 series",
              "vendor": "EC-CUBE CO.,LTD.",
              "versions": [
                {
                  "status": "affected",
                  "version": "EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-05T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.ec-cube.net/info/weakness/20230214/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN04785663/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-25077",
        "datePublished": "2023-03-05T00:00:00.000Z",
        "dateReserved": "2023-02-17T00:00:00.000Z",
        "dateUpdated": "2025-03-06T15:59:31.592Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-22838 (GCVE-0-2023-22838)

    Vulnerability from cvelistv5 – Published: 2023-03-05 00:00 – Updated: 2025-03-06 16:02
    VLAI
    Summary
    Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting
    Assigner
    Impacted products
    Vendor Product Version
    EC-CUBE CO.,LTD. EC-CUBE 4 series Affected: EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:20:31.054Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.ec-cube.net/info/weakness/20230214/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN04785663/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-22838",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-06T16:01:51.762350Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-06T16:02:05.314Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "EC-CUBE 4 series",
              "vendor": "EC-CUBE CO.,LTD.",
              "versions": [
                {
                  "status": "affected",
                  "version": "EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-05T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.ec-cube.net/info/weakness/20230214/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN04785663/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-22838",
        "datePublished": "2023-03-05T00:00:00.000Z",
        "dateReserved": "2023-02-17T00:00:00.000Z",
        "dateUpdated": "2025-03-06T16:02:05.314Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-38975 (GCVE-0-2022-38975)

    Vulnerability from cvelistv5 – Published: 2022-09-27 01:55 – Updated: 2025-05-21 18:24
    VLAI
    Summary
    DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    EC-CUBE CO.,LTD. EC-CUBE 4 series Affected: EC-CUBE 4.0.0 to 4.1.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T11:10:32.098Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.ec-cube.net/info/weakness/20220909/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN21213852/index.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-38975",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-21T18:23:58.811469Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-21T18:24:22.908Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "EC-CUBE 4 series",
              "vendor": "EC-CUBE CO.,LTD.",
              "versions": [
                {
                  "status": "affected",
                  "version": "EC-CUBE 4.0.0 to 4.1.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-27T01:55:16.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.ec-cube.net/info/weakness/20220909/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jvn.jp/en/jp/JVN21213852/index.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vultures@jpcert.or.jp",
              "ID": "CVE-2022-38975",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "EC-CUBE 4 series",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "EC-CUBE 4.0.0 to 4.1.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "EC-CUBE CO.,LTD."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-site scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.ec-cube.net/info/weakness/20220909/",
                  "refsource": "MISC",
                  "url": "https://www.ec-cube.net/info/weakness/20220909/"
                },
                {
                  "name": "https://jvn.jp/en/jp/JVN21213852/index.html",
                  "refsource": "MISC",
                  "url": "https://jvn.jp/en/jp/JVN21213852/index.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2022-38975",
        "datePublished": "2022-09-27T01:55:16.000Z",
        "dateReserved": "2022-09-09T00:00:00.000Z",
        "dateUpdated": "2025-05-21T18:24:22.908Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }