JVN#19072922
EC-CUBE vulnerable to SQL injection
Critical
Overview
EC-CUBE provided by LOCKON CO.,LTD. contains a SQL injection vulnerability.
Products Affected
All the versions of EC-CUBE are affected.
- EC-CUBE Ver2 Version 2.3.0 and earlier
- EC-CUBE Ver2 RC Version 2.3.0-rc1 and earlier
- EC-CUBE Ver1 Version 1.4.7 and earlier
- EC-CUBE Ver1 Beta Version 1.5.0-beta2 and earlier
- EC-CUBE Community Edition 1.3.5 and earlier
- EC-CUBE Community Edition Nightly-Build r17668 and earlier
For more information, refer to the vendor's website.
Description
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a SQL injection vulnerability.
This vulnerability is different from JVN#81111541.
Impact
A remote attacker could obtain the website administrator's privilege which was created using EC-CUBE.
Solution
Update the Software
Apply the latest updates provided by the vendor.
JPCERT/CC Addendum
An updated version addressing this vulnerability was released on November 7, 2008Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2008-4991 |
| JVN iPedia |
JVNDB-2008-000075 |
Update History
- 2009/05/12
- Information under the sections "JPCERT/CC Addendum" were modified.