Published:2021/09/16  Last Updated:2021/09/16

JVN#23406150
EC-CUBE plugin "Order Status Batch Change Plug-in" vulnerable to cross-site scripting

Overview

EC-CUBE plugin "Order Status Batch Change Plug-in" provided by ActiveFusions Co., Ltd. contains a cross-site scripting vulnerability.

Products Affected

  • Order Status Batch Change Plug-in (for EC-CUBE 3.0 series) all versions

Description

EC-CUBE plugin "Order Status Batch Change Plug-in" provided by ActiveFusions Co., Ltd. contains a cross-site scripting vulnerability (CWE-79).
An arbitrary script may be executed by conducting a specific operation on the management page of EC-CUBE.

Impact

If a remote attacker injects a specially crafted script in the specific input field of the EC web site which is created using the plugin, an arbitrary script may be executed on the administrator's web browser.

Solution

Stop using "Order Status Batch Change Plug-in"
The developer states the plugin is no longer developed and supported, therefore stop using the plugin.

Vendor Status

Vendor Link
ActiveFusions Co., Ltd. [Important] Regarding vulnerability in EC-CUBE plugin "Order Status Batch Change Plug-in" (Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score: 6.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score: 4.3
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

ActiveFusions Co., Ltd. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and ActiveFusions Co., Ltd. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20828
JVN iPedia JVNDB-2021-000083