Published: 2016/04/26  Last Updated: 2016/04/26

Information from shiro8.net

Vulnerability ID:JVN#63384827
Title:Multiple shiro8 Co., Ltd. freearea_ addition_plugins for EC-CUBE vulnerable to cross-site scripting
Status:Vulnerable

This is a statement from the vendor itself with no modification by JPCERT/CC.

EC-CUBE plugins
Cross-site scripting vulnerability in the "category_freearea_ addition_plugin ver1.0"

■ Overview
Function plugin of open source EC site package "ECCUBE" version 2.12 system for
"category_freearea_ addition_plugin"
Be vulnerable to cross-site scripting it exists was found in.
If this vulnerability was being exploited by a malicious third-party attacks, hijacking of the session, such as redirection to an illegal site, there is a risk of being run unauthorized programs.
Affected by this problem
"category_freearea_ addition_plugin" plugin
Since the version shown below, please apply the following fix.

■ How to check product
The affected product is for the following products.
Product Name: "category_freearea_ addition_plugin"
versions: 1.0

■ How to check the version number you are using
1.Login to the ECCUBE management screen.

2.Open the Owner's Store> plugin management> plugin management of the header menu.

3.Number listed in the back of the plugin name of the plugin list that has become available is the version number in ECCUBE.

4.If the version number is "1.0", it is a plugin that vulnerable.
Please update as soon as possible.
After the update, please make sure that the display of the version number is "1.1".

■ Vulnerability of description

Execution of unauthorized programs due to cross-site scripting.

■ Threat vulnerability brings

Session hijacking, it may be redirected to a fraudulent site.

■ countermeasures (update how to measure product)

1.Login to the ECCUBE management screen.

2.Open the Owner's Store> plugin management> plugin management of the header menu.

3.If you number listed in the back of the plugin name of the plugin list that is in use has become a "1.0" ECCUBE, click on the text link in the "Update" in the "plugin settings" item Please perform the update by.
Since the time of the update implementation may be required to log in to ECCUBE owner's store, please login to the owner's store according to the screen assistance.

4.After the completion of the update, please make sure that the version number is "1.1".

■ Related Information
Also with regard to separate ECUBE plugin "itemdetail_freearea_ addition_plugin" in the distribution plugin Ver1.0, same since the vulnerability exists, would appreciate if rapid updates during application available.

[itemdetail_freearea_ addition_plugin]
Distribution site URL: http://www.ec-cube.net/products/detail.php?Product_id=506

■ Acknowledgements
With regard to the plugins of our release, Thank you very much for your report this problem.
Thank you to take this opportunity.
If you find an unknown bug, please let us know.

■ Contact Us
Mail:kikaku@shiro8.net