Published:2024/07/30 Last Updated:2024/07/30
JVN#48324254
EC-CUBE 4 Series improper input validation when installing plugins
Overview
EC-CUBE 4 series provided by EC-CUBE CO.,LTD improperly validates inputs when installing plugins.
Products Affected
- EC-CUBE 4 series
- EC-CUBE 4.0.0 to 4.0.6-p4
- EC-CUBE 4.1.0 to 4.1.2-p3
- EC-CUBE 4.2.0 to 4.2.3
Description
EC-CUBE 4 series provided by EC-CUBE CO.,LTD improperly validates inputs when installing plugins (CWE-349).
Impact
An attacker who obtained the administrative privilege may install an arbitrary PHP package. If the obsolete versions of PHP packages are installed, the product may be affected by some known vulnerabilities.
Solution
Apply the Patch
Apply the patch provided by the developer.
For more details, refer to the developer's information.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| EC-CUBE CO.,LTD. | Vulnerable | 2024/07/30 | EC-CUBE CO.,LTD. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
Base Score:
6.8
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-41924 |
| JVN iPedia |
JVNDB-2024-000080 |