JVN#55545372
EC-CUBE plugin BbAdminViewsControl vulnerable to SQL injection
Overview
The EC-CUBE plugin BbAdminViewsControl contains an SQL injection vulnerability.
Products Affected
- BbAdminViewsControl213 Ver1.0 and earlier
- BbAdminViewsControl Ver2.0 and earlier
Description
BbAdminViewsControl from BOKUBLOCK CO., LTD. is an EC-CUBE plugin. BbAdminViewsControl contains an SQL injection vulnerability (CWE-89).
Impact
A logged in attacker may execute SQL statements.
According to the developer, this vulnerability affects availability of the server that EC-CUBE resides, but information in the database can not be obtained or altered.
Solution
Do not use BbAdminViewsControl
Please stop use of BbAdminViewsControl.
The developer has stopped distributing the product.
Vendor Status
| Vendor | Link |
| BOKUBLOCK CO., LTD. | Top page |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2015-7784 |
| JVN iPedia |
JVNDB-2015-000190 |
Update History
- 2016/07/07
- Information under the section "Impact", "Solution", "Vendor Status" and "Vulnerability Analysis by JPCERT/CC" was modified.