Published:2014/01/22 Last Updated:2024/05/15
JVN#51770585
EC-CUBE vulnerable to authorization bypass
Overview
EC-CUBE contains an authorization bypass vulnerability.
Products Affected
- EC-CUBE 2.11.0
- EC-CUBE 2.11.1
- EC-CUBE 2.11.2
- EC-CUBE 2.11.3
- EC-CUBE 2.11.4
- EC-CUBE 2.11.5
- EC-CUBE 2.12.0
- EC-CUBE 2.12.1
- EC-CUBE 2.12.2
Description
EC-CUBE from EC-CUBE CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains an authorization bypass vulnerability (CWE-639).
Impact
A user of the affected shopping website may obtain other users' information by sending a crafted HTTP request.
Solution
Apply the update or the patch
Apply the update or the patch according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| EC-CUBE CO.,LTD. | Authorization bypass vulnerability (Text in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2014.01.22
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | can be attacked over the Internet using packets |
|
| Authentication | self-registration, perhaps valid e-mail |
|
| User Interaction Required | the vulnerability can be exploited without an honest user taking any action |
|
| Exploit Complexity | some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls) |
|
Credit
The developer reported this vulnerability to JPCERT/CC under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2014-0808 |
| JVN iPedia |
JVNDB-2014-000006 |
Update History
- 2024/03/28
- The vulnerability type was changed from information disclosure to authorization bypass
- 2024/05/15
- Information under the section [Description], [Impact] and [Vendor Status] was updated