JVN#15637138
EC-Orange vulnerable to authorization bypass
Overview
EC-Orange contains an authorization bypass vulnerability.
Products Affected
- Systems deployed before June 29th, 2015
Description
EC-Orange provided by S-cubism Inc. is an e-commerce website building system package based on an open source software EC-CUBE.
EC-Orange contains an authorization bypass vulnerability (CWE-639).
This is the same issue as JVN#51770585 (EC-CUBE vulnerable to authorization bypass).
Impact
A user of the affected shopping website may obtain other users' information by sending a crafted HTTP request.
Solution
Update the Software or Apply the Patch
Update the software to the latest version or apply the patch according to the information provided by the developer.
For the systems deployed after June 29th, 2015, the issue has been already resolved.
Vendor Status
| Vendor | Link |
| S‑cubism Inc. | EC-ORANGE (Text in Japanese) |
JPCERT/CC Addendum
This vulnerability was reported on July 2015.
The coordination with the developer was resumed on December 2023, and this JVN publication was agreed upon.
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Tsuyoshi Nagakawa (Ishibashi) of Verizon Japan Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2014-0808 |
| JVN iPedia |
JVNDB-2024-000054 |