Published:2008/10/01  Last Updated:2008/10/16

JVN#81111541
EC-CUBE vulnerable to SQL injection
Critical

Overview

EC-CUBE provided by LOCKON CO.,LTD. contains a SQL injection vulnerability.

Products Affected

  • EC-CUBE Ver2 Version 2.1.2a and earlier
  • EC-CUBE Ver2 RC Version 2.3.0-rc1 and earlier
According to the vendor, EC-CUBE Ver1.x are not affected.

Description

EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a SQL injection vulnerability.

Impact

A remote attacker could obtain the website administrator's privilege which was created using EC-CUBE.

Solution

Update the Software
Apply the latest updates provided by the vendor.

Vendor Status

Vendor Status Last Update Vendor Notes
LOCKON CO.,LTD. Vulnerable 2009/07/27

References

  1. Security Alert for EC-CUBE Vulnerability

JPCERT/CC Addendum

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2008-4534
JVN iPedia JVNDB-2008-000065

Update History

2008/10/01
The first English advisory of this issue was published.
2008/10/16
Information under the section "References" was modified.