Published:2014/01/22  Last Updated:2024/05/15

JVN#51770585
EC-CUBE vulnerable to authorization bypass

Overview

EC-CUBE contains an authorization bypass vulnerability.

Products Affected

  • EC-CUBE 2.11.0
  • EC-CUBE 2.11.1
  • EC-CUBE 2.11.2
  • EC-CUBE 2.11.3
  • EC-CUBE 2.11.4
  • EC-CUBE 2.11.5
  • EC-CUBE 2.12.0
  • EC-CUBE 2.12.1
  • EC-CUBE 2.12.2

Description

EC-CUBE from EC-CUBE CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains an authorization bypass vulnerability (CWE-639).

Impact

A user of the affected shopping website may obtain other users' information by sending a crafted HTTP request.

Solution

Apply the update or the patch
Apply the update or the patch according to the information provided by the developer.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2014.01.22

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication self-registration, perhaps valid e-mail
  • Mid-High
User Interaction Required the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Mid-High

Description of each analysis measures

Credit

The developer reported this vulnerability to JPCERT/CC under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2014-0808
JVN iPedia JVNDB-2014-000006

Update History

2024/03/28
The vulnerability type was changed from information disclosure to authorization bypass
2024/05/15
Information under the section [Description], [Impact] and [Vendor Status] was updated