Published:2021/07/01  Last Updated:2021/07/01

JVN#57942445
EC-CUBE fails to restrict access permissions

Overview

EC-CUBE provided by EC-CUBE CO.,LTD. fails to restrict access permissions.

Products Affected

  • EC-CUBE 4.0.6 (EC-CUBE 4 series)
According to the developer, this vulnerability is caused by a defect in the fix of JVN#95292458.

Description

EC-CUBE provided by EC-CUBE CO.,LTD. fails to restrict access permissions (CWE-284) .

Impact

A remote attacker may obtain sensitive information.

Solution

Update the Softwere
Update the software according to the information provided by the developer. 
The developer has released EC-CUBE 4.0.6-p1 that addresses the vulnerability.

Apply the Patch
Apply the hotfix patch according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
EC-CUBE CO.,LTD. Vulnerable 2021/07/01 EC-CUBE CO.,LTD. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score: 7.5
CVSS v2 AV:N/AC:L/Au:N/C:P/I:N/A:N
Base Score: 5.0

Credit

EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20778
JVN iPedia JVNDB-2021-000059