Published:2011/10/14 Last Updated:2011/10/14
JVN#44496332
EC-CUBE vulnerable to SQL injection
Overview
EC-CUBE contains a SQL injection vulnerability.
Products Affected
- EC-CUBE Ver 2.11.0 through 2.11.2
Description
EC-CUBE provided by LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains an issue in assembling SQL statements, leading to a SQL injection vulnerability.
This vulnerability is different from JVN#81111541 and JVN#19072922.
Impact
A remote, unauthenticated attacker may view contents stored by EC-CUBE.
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2011.10.14
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | can be attacked over the Internet using packets |
|
| Authentication | self-registration, perhaps valid e-mail |
|
| User Interaction Required | the vulnerability can be exploited without an honest user taking any action |
|
| Exploit Complexity | expertise and/or luck required (guessing correctly in medium-sized space, kernel expertise) |
|
Credit
Tsukada Nobuhisa of Seasoft reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2011-3988 |
| JVN iPedia |
JVNDB-2011-000087 |