Published:2023/02/28  Last Updated:2023/02/28

JVN#04785663
Multiple cross-site scripting vulnerabilities in EC-CUBE

Overview

EC-CUBE provided by EC-CUBE CO.,LTD. contains multiple cross-site scripting vulnerabilities.

Products Affected

CVE-2023-22438

  • EC-CUBE 4 series
    • EC-CUBE 4.0.0 to 4.0.6-p2
    • EC-CUBE 4.1.0 to 4.1.2-p1
    • EC-CUBE 4.2.0
  • EC-CUBE 3 series
    • EC-CUBE 3.0.0 to 3.0.18-p5
  • EC-CUBE 2 series
    • EC-CUBE 2.11.0 to 2.11.5
    • EC-CUBE 2.12.0 to 2.12.6
    • EC-CUBE 2.13.0 to 2.13.5
    • EC-CUBE 2.17.0 to 2.17.2
CVE-2023-25077, CVE-2023-22838
  • EC-CUBE 4 series
    • EC-CUBE 4.0.0 to 4.0.6-p2
    • EC-CUBE 4.1.0 to 4.1.2-p1
    • EC-CUBE 4.2.0

Description

EC-CUBE provided by EC-CUBE CO.,LTD. contains multiple cross-site scripting vulnerabilities listed below.

  • Cross-site scripting vulnerability in Contents Management (CWE-79) - CVE-2023-22438
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4
    CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5
  • Cross-site scripting vulnerability in Authentication Key Settings (CWE-79) - CVE-2023-25077
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4
    CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5
  • Cross-site scripting vulnerability in Product List Screen and Product Detail Screen (CWE-79) - CVE-2023-22838
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4
    CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5

Impact

  • An arbitrary script may be executed on the web browser of the user who is accessing the administrative page of the product - CVE-2023-22438, CVE-2023-25077
  • An arbitrary script may be executed on the web browser of the user who is accessing a website that uses the product - CVE-2023-22838

Solution

Update the software
Update the software according to the information provided by the developer.
The developer has released EC-CUBE 4.2.1 that addresses these vulnerabilities.

Apply the Workaround
If an update cannot be applied, the developer recommends users applying the patches.
For more information, refer to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
EC-CUBE CO.,LTD. Vulnerable 2023/02/28

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2023-22438
Gaku Mochizuki, Taiga Shirakura of Mitsui Bussan Secure Directions, Inc. and Shiga Takuma of BroadBand Security, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2023-25077
Noriaki Iwasaki of Cyber Defense Institute, Inc. reported this vulnerability to EC-CUBE CO.,LTD. and EC-CUBE CO.,LTD. Inc. reported it to JPCERT/CC to notify users of its solution through JVN.

CVE-2023-22838
Rei TAKAHASHI of Hashiura Lab., Dept. of Data Science, Nippon Institute of Technology reported this vulnerability to EC-CUBE CO.,LTD. and EC-CUBE CO.,LTD. reported it to JPCERT/CC to notify users of its solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-22438
CVE-2023-25077
CVE-2023-22838
JVN iPedia JVNDB-2023-000019