CVSS: 7.2EPSS: 0%CPEs: 15EXPL: 3CVE-2023-46845
https://notcve.org/view.php?id=CVE-2023-46845
EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege. EC-CUBE series 3 (3.0.0 a 3.0.18-p6) y 4 (4.0.0 a 4.0.6-p3, 4.1.0 a 4.1.2-p2 y 4.2.0 a 4.2.2) contienen una vulnerabilidad de ejecución de código arbitrario debido a una configuración incorrecta del motor de plantillas Twig incluido en el producto. Como resultado, un usuario con privilegios administrativos puede ejecutar código arbitrario en el servidor donde se ejecuta el producto. • https://jvn.jp/en/jp/JVN29195731 https://www.ec-cube.net/info/weakness/20231026/index.php https://www.ec-cube.net/info/weakness/20231026/index_3.php https://www.ec-cube.net/info/weakness/20231026/index_40.php • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 16EXPL: 0CVE-2023-22438
https://notcve.org/view.php?id=CVE-2023-22438
Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script. • https://jvn.jp/en/jp/JVN04785663 https://www.ec-cube.net/info/weakness/20230214 https://www.ec-cube.net/info/weakness/20230214/index_2.php https://www.ec-cube.net/info/weakness/20230214/index_3.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 2.7EPSS: 0%CPEs: 7EXPL: 0CVE-2022-40199
https://notcve.org/view.php?id=CVE-2022-40199
Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product's directory structure information. Una vulnerabilidad de Salto de Directorio en las series EC-CUBE 3 (EC-CUBE versiones 3.0.0 a 3.0.18-p4 ) y EC-CUBE 4 (EC-CUBE versiones 4.0.0 a 4.1.2) permite a un atacante remoto autenticado con privilegio administrativo obtener la información de la estructura de directorios del producto • https://jvn.jp/en/jp/JVN21213852/index.html https://www.ec-cube.net/info/weakness/20220909 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2022-25355
https://notcve.org/view.php?id=CVE-2022-25355
EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users. EC-CUBE versiones 3.0.0 a 3.0.18-p3 y EC-CUBE versiones 4.0.0 a 4.1.1, manejan inapropiadamente los valores del encabezado HTTP Host, lo que puede conllevar a que un atacante remoto no autenticado dirija la versión vulnerable de EC-CUBE para enviar un correo electrónico con alguna URL de reemisión de contraseña falsificada a usuarios de EC-CUBE • https://jvn.jp/en/jp/JVN53871926/index.html https://www.ec-cube.net/info/weakness/20220221 • CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2021-20750
https://notcve.org/view.php?id=CVE-2021-20750
Cross-site scripting vulnerability in EC-CUBE EC-CUBE 3.0.0 to 3.0.18-p2 (EC-CUBE 3 series) and EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific operation. Una vulnerabilidad de tipo cross-site scripting en EC-CUBE EC-CUBE versiones 3.0.0 hasta 3.0.18-p2 (serie EC-CUBE 3) y EC-CUBE versiones 4.0.0 hasta 4.0.5-p1 (serie EC-CUBE 4) permite a un atacante remoto inyectar un script arbitrario conllevando a un administrador o a un usuario a una página especialmente diseñada y llevar a cabo una operación específica • https://jvn.jp/en/jp/JVN95292458/index.html https://www.ec-cube.net/info/weakness/weakness.php?id=78 https://www.ec-cube.net/info/weakness/weakness.php?id=79 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •