Published:2011/10/14  Last Updated:2011/10/14

JVN#44496332
EC-CUBE vulnerable to SQL injection

Overview

EC-CUBE contains a SQL injection vulnerability.

Products Affected

  • EC-CUBE Ver 2.11.0 through 2.11.2

Description

EC-CUBE provided by LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains an issue in assembling SQL statements, leading to a SQL injection vulnerability.
This vulnerability is different from JVN#81111541 and JVN#19072922.

Impact

A remote, unauthenticated attacker may view contents stored by EC-CUBE.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2011.10.14

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication self-registration, perhaps valid e-mail
  • Mid-High
User Interaction Required the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity expertise and/or luck required (guessing correctly in medium-sized space, kernel expertise)
  • Low-Mid

Description of each analysis measures

Credit

Tsukada Nobuhisa of Seasoft reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2011-3988
JVN iPedia JVNDB-2011-000087