Published:2013/05/23  Last Updated:2013/05/23

EC-CUBE vulnerable to session fixation


EC-CUBE contains a session fixation vulnerability.

Products Affected

  • EC-CUBE 2.11.0
  • EC-CUBE 2.11.1
  • EC-CUBE 2.11.2
  • EC-CUBE 2.11.3
  • EC-CUBE 2.11.4
  • EC-CUBE 2.11.5
  • EC-CUBE 2.12.0
  • EC-CUBE 2.12.1
  • EC-CUBE 2.12.2
  • EC-CUBE 2.12.3
  • EC-CUBE 2.12.3en
  • EC-CUBE 2.12.3enP1
  • EC-CUBE 2.12.3enP2


EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a session fixation vulnerability.


A remote unauthenticated attacker may impersonate a user. As a result, information may be disclosed or altered.


Apply the update or patch
Apply the update or patch according to the information provided by the developer.


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2013.05.23

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file
  • Mid
Exploit Complexity some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Mid-High

Description of each analysis measures


Yuji Tounai of reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2013-2313
JVN iPedia JVNDB-2013-000042