Published:2021/06/15  Last Updated:2021/06/15

JVN#79254445
Multiple ETUNA EC-CUBE plugins vulnerable to cross-site scripting
Critical

Overview

Multiple EC-CUBE plugins provided by ETUNA contain a cross-site scripting vulnerability.

Products Affected

  • Delivery slip number plugin (3.0 series) 1.0.10 and earlier
  • Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier
  • Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier

Description

Multiple EC-CUBE plugins provided by ETUNA contain a cross-site scripting vulnerability (CWE-79).
An arbitrary script may be executed by executing a specific operation on the management page of EC-CUBE.

As of 2021 June 15, an attack exploting this vulnerability has been observed in the wild.

Impact

An arbitrary script may be executed on the web browser of the user who is accessing the administrative page of the affected product.

Solution

Update the software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Link
ETUNA Delivery slip number plugin (3.0 series) | Release notes (Text in Japanese)
Delivery slip number csv bulk registration plugin (3.0 series) | Release notes (Text in Japanese)
Delivery slip number mail plugin (3.0 series) | Release notes (Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score: 6.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score: 4.3
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Yoshimitsu Kato of Asterisk Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert JPCERT-AT-2021-0028
Alert Regarding Cross Site Scripting Vulnerabilities in Multiple EC-CUBE 3.0 Series Plugins
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20735
JVN iPedia JVNDB-2021-000049

Update History

2021/06/15
Added information under "Other Information" section