Improper HTTP Header Handling in EC-CUBE by EC-CUBE Corporation
CVE-2022-25355

5.3MEDIUM

Key Information:

Vendor: Ec-cube Co.,ltd.
Status: Ec-cube 3 Series And Ec-cube 4 Series
Vendor: CVE Published:; 24 February 2022

🔔 Create Ec-cube Co.,ltd. Vulnerability Alert

What is CVE-2022-25355?

The EC-CUBE framework, versions 3.0.0 to 3.0.18-p3 and 4.0.0 to 4.1.1, has a security flaw where it improperly processes HTTP Host header values. This oversight allows remote unauthenticated attackers to manipulate the system, potentially causing it to send emails containing forged reissue-password URLs to users of the EC-CUBE platform. The exploitation of this vulnerability could undermine user trust and lead to credential compromises.

Affected Version(s)

EC-CUBE 3 series and EC-CUBE 4 series EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1

References

https://www.ec-cube.net/info/weakness/20220221/

x_refsource_MISC

https://jvn.jp/en/jp/JVN53871926/index.html

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 24, 2022
Vulnerability Reserved
Feb 20, 2022