Published:2022/09/15  Last Updated:2022/09/15

JVN#30900552
EC-CUBE plugin "Product Image Bulk Upload Plugin" vulnerable to insufficient verification in uploading files

Overview

EC-CUBE plugin "Product Image Bulk Upload Plugin" provided by EC-CUBE CO.,LTD. contains an insufficient verification vulnerability when uploading files.

Products Affected

  • EC-CUBE plugin "Product Image Bulk Upload Plugin" 1.0.0
  • EC-CUBE plugin "Product Image Bulk Upload Plugin" 4.1.0

Description

EC-CUBE plugin "Product Image Bulk Upload Plugin", a plugin that enables to upload image files, provided by EC-CUBE CO.,LTD. contains an insufficient verification vulnerability when uploading files (CWE-20).
Exploiting this vulnerability allows a remote unauthenticated attacker to upload arbitrary files other than image files.

Impact

One of the attack scenarios and the possible impacts is as follows:
If a user with an administrative privilege of EC-CUBE where the vulnerable plugin is installed is led to uploads a specially crafted file, an arbitrary script may be executed on the system.

Solution

Update the plugin
Update the plugin to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
EC-CUBE CO.,LTD. Vulnerable 2022/09/15 EC-CUBE CO.,LTD. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Base Score: 6.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:P
Base Score: 5.1
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2022-37346
JVN iPedia JVNDB-2022-000072