CVSS: 4.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-40281
https://notcve.org/view.php?id=CVE-2023-40281
EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using the product. • https://jvn.jp/en/jp/JVN46993816 https://www.ec-cube.net/info/weakness/20230727 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 16EXPL: 0CVE-2023-22438
https://notcve.org/view.php?id=CVE-2023-22438
Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script. • https://jvn.jp/en/jp/JVN04785663 https://www.ec-cube.net/info/weakness/20230214 https://www.ec-cube.net/info/weakness/20230214/index_2.php https://www.ec-cube.net/info/weakness/20230214/index_3.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-20842
https://notcve.org/view.php?id=CVE-2021-20842
Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web page. Una vulnerabilidad de tipo Cross-site request forgery (CSRF) en EC-CUBE 2 series versiones 2.11.0 a 2.17.1 permite a un atacante remoto secuestrar la autenticación del Administrador y eliminar el Administrador por medio de una página web especialmente diseñada • https://jvn.jp/en/jp/JVN75444925/index.html https://www.ec-cube.net/info/weakness/20211111 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-20841
https://notcve.org/view.php?id=CVE-2021-20841
Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vectors. Un control de acceso inapropiado en la pantalla de administración de EC-CUBE 2 series versiones 2.11.2 a 2.17.1 permite a un atacante remoto autenticado omitir la restricción de acceso y alterar la configuración del sistema por medio de vectores no especificados • https://jvn.jp/en/jp/JVN75444925/index.html https://www.ec-cube.net/info/weakness/20211111 •
CVSS: 5.1EPSS: 0%CPEs: 15EXPL: 0CVE-2015-5665
https://notcve.org/view.php?id=CVE-2015-5665
Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE 2.11.0 through 2.13.3 allows remote attackers to hijack the authentication of arbitrary users for requests that write to PHP scripts, related to the doValidToken function. Vulnerabilidad de CSRF en LOCKON EC-CUBE 2.11.0 hasta la versión 2.13.3 permite a atacantes remotos secuestrar la autenticación de usuarios arbitrarios en peticiones que escriben en scripts PHP, relacionada con la función doValidToken. • http://jvn.jp/en/jp/JVN97278546/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2015-000166 http://www.ec-cube.net/info/weakness/weakness.php?id=63 https://www.ec-cube.net/info/weakness/201510_01 • CWE-352: Cross-Site Request Forgery (CSRF) •