Published:2009/12/07  Last Updated:2009/12/08

JVN#79762947
EC-CUBE information disclosure vulnerability
Critical

Overview

EC-CUBE from LOCKON CO.,LTD. contains an information disclosure vulnerability.

Products Affected

  • EC-CUBE Ver2 Version 2.4.0 RC1 to 2.4.1
  • EC-CUBE Community Edition r18068 to r18428
    • For more information, refer to the vendor's website.

Description

EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains an information disclosure vulnerability.

Impact

A remote attacker may be able to obtain customer data that is saved by EC-CUBE.

Solution

Update the Software
Apply the latest updates provided by the vendor.

Vendor Status

Vendor Status Last Update Vendor Notes
LOCKON CO.,LTD. vulnerable 2009/12/07

References

  1. IPA
    Security Alert for EC-CUBE Vulnerability

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2009.12.07  Critical

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity the user must be convinced to take a difficult or suspicious action. If the honest user must have elevated privileges, they are likely to be more suspiciouse
  • High

Description of each analysis measures

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2009-4236
JVN iPedia JVNDB-2009-000078

Update History

2009/12/07
Information under the sections "Products Affected" were modified.
2009/12/08
Information under the sections "References" were modified.