Published:2021/05/10  Last Updated:2021/05/10

JVN#97554111
EC-CUBE vulnerable to cross-site scripting
Critical

Overview

EC-CUBE contains a cross-site scripting vulnerability.

Products Affected

EC-CUBE 4.0.0 to 4.0.5

Description

EC-CUBE provided by EC-CUBE CO.,LTD. contains a cross-site scripting vulnerability (CWE-79).
An arbitrary script may be executed by executing a specific operation on the management page of EC-CUBE.

As of 2021 May 10, an attack exploting this vulnerability has been observed in the wild.

 

Impact

If a remote attacker injects a specially crafted script in the specific input field of the EC web site which is created using EC-CUBE, an arbitrary script may be executed on the administrator's web browser.

Solution

Update the Softwere
Update the software according to the information provided by the developer.  The developer has released the following version that addresses the vulnerability.

  • 4.0.5-p1
Apply the Patch
Apply the hotfix patch according to the information provided by the developer.

References

  1. Information-technology Promotion Agency, Japan (IPA)
    Regarding cross-site scripting vulnerability in EC-CUBE (JVN#97554111) (in Japanese)

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Base Score: 7.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score: 6.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports JPCERT-AT-2021-0022
Alert Regarding Cross Site Scripting Vulnerability (CVE-2021-20717) in EC-CUBE
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20717
JVN iPedia JVNDB-2021-000035

Update History

2021/05/10
Information under the section "References" and "Other Information" was updated.