Published:2009/12/07  Last Updated:2009/12/08

JVN#79762947
EC-CUBE information disclosure vulnerability
Critical

Overview

EC-CUBE from LOCKON CO.,LTD. contains an information disclosure vulnerability.

Products Affected

  • EC-CUBE Ver2 Version 2.4.0 RC1 to 2.4.1
  • EC-CUBE Community Edition r18068 to r18428
    • For more information, refer to the vendor's website.

Description

EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains an information disclosure vulnerability.

Impact

A remote attacker may be able to obtain customer data that is saved by EC-CUBE.

Solution

Update the Software
Apply the latest updates provided by the vendor.

Fix the file
Modify the specific file according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
LOCKON CO.,LTD. Vulnerable 2009/12/07

References

  1. IPA
    Security Alert for EC-CUBE Vulnerability

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2009.12.07 Critical

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication None - anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required None - the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity Low - little to no expertise and/or luck required to exploit (cross-site scripting)
  • High

Description of each analysis measures

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2009-4236
JVN iPedia JVNDB-2009-000078

Update History

2009/12/07
Information under the sections "Products Affected" were modified.
2009/12/08
Information under the sections "References" were modified.