JVN#06372244
Multiple vulnerabilities in EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE

Overview

EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE provided by GMO Payment Gateway, Inc. contain multiple vulnerabilities.

Products Affected

• EC-CUBE Payment Module (2.12) version 3.5.23 and earlier
• EC-CUBE Payment Module (2.11) version 2.3.17 and earlier
• GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier
• GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier

Description

EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service), which are additional modules for EC-CUBE, provided by GMO Payment Gateway, Inc. contain multiple vulnerabilities listed below.

• Cross-site scripting vulnerability in the management screen (CWE-79) - CVE-2018-0657

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
  CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

• Input validation bypass vulnerability in the management screen (CWE-20) - CVE-2018-0658

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L	Base Score: 3.8
  CVSS v2	AV:N/AC:M/Au:S/C:N/I:P/A:N	Base Score: 3.5

Impact

• An arbitrary script may be executed on the web browser of an administrator logged into the EC-CUBE management screen - CVE-2018-0657
• An arbitrary PHP code may be executed on the server by an administrator logged into the EC-CUBE management screen - CVE-2018-0658

Solution

Update the software
Update to the latest version according to the information provided by the developer.