JVN#29195731
EC-CUBE 3 series and 4 series vulnerable to arbitrary code execution
Overview
EC-CUBE 3 series and 4 series provided by EC-CUBE CO.,LTD. contain an arbitrary code execution vulnerability.
Products Affected
- EC-CUBE 4 series
- EC-CUBE 4.0.0 to 4.0.6-p3
- EC-CUBE 4.1.0 to 4.1.2-p2
- EC-CUBE 4.2.0 to 4.2.2
- EC-CUBE 3 series
- EC-CUBE 3.0.0 to 3.0.18-p6
Description
EC-CUBE 3 series and 4 series provided by EC-CUBE CO.,LTD. contain an arbitrary code execution vulnerability (CWE-94) due to improper settings of the product's template engine "Twig".
Impact
Arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.
Solution
Update the software
Update the software according to the information provided by the developer.
The developer has released EC-CUBE 4.2.3 that addresses this vulnerability.
Apply the Workaround
The developer has released the patches for the users who cannot apply the update.
For more information, refer to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| EC-CUBE CO.,LTD. | Vulnerable | 2023/11/07 | EC-CUBE CO.,LTD. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Takeshi Miura of N.F.Laboratories Inc. reported this vulnerability to EC-CUBE CO.,LTD.
EC-CUBE CO.,LTD. Inc. reported this case to JPCERT/CC to notify users of its solution through JVN.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-46845 |
| JVN iPedia |
JVNDB-2023-000107 |