JVN#57524494
Multiple cross-site scripting vulnerabilities in multiple EC-CUBE plugins provided by EC-CUBE

Overview

Multiple EC-CUBE plugins provided by EC-CUBE CO.,LTD. contain multiple cross-site scripting vulnerabilities.

Products Affected

CVE-2021-20742

• Business form output plugin (for EC-CUBE 3.0 series) versions prior to version 1.0.1

• Email newsletters management plugin (for EC-CUBE 3.0 series) versions prior to version 1.0.4

• Category contents plugin (for EC-CUBE 3.0 series) versions prior to version 1.0.1

Description

Multiple EC-CUBE plugins provided by EC-CUBE CO.,LTD. contain multiple cross-site scripting vulnerabilities listed below.

• Cross-site scripting vulnerability (CWE-79) - CVE-2021-20742

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L	Base Score: 7.1
  CVSS v2	AV:N/AC:M/Au:N/C:P/I:P/A:P	Base Score: 6.8

• Cross-site scripting vulnerability (CWE-79) - CVE-2021-20743

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
  CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

• Cross-site scripting vulnerability (CWE-79) - CVE-2021-20744

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
  CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

Impact

• If a remote attacker injects a specially crafted script in the specific input field of the EC web site which is created using EC-CUBE, an arbitrary script may be executed on the administrator's web browser - CVE-2021-20742
• If a remote attacker leads a user of the product to a specially crafted page and to perform a specific operation, an arbitrary script may be executed on the user's web browser - CVE-2021-20743
• If a remote attacker leads an administrator or a user of the product to a specially crafted page and to perform a specific operation, an arbitrary script may be executed on the administrator's or the user's web browser - CVE-2021-20744

Solution

Update the plugin
Update the plugin to the latest version according to the information provided by the developer.