DOM-Based Cross-Site Scripting in EC-CUBE by EC-CUBE Co.
CVE-2022-38975

5.4MEDIUM

Key Information:

Vendor

Ec-cube Co.,ltd.

Status
Ec-cube 4 Series
Vendor
CVE Published:
27 September 2022

What is CVE-2022-38975?

A DOM-based cross-site scripting vulnerability exists in the EC-CUBE 4 series, specifically affecting versions 4.0.0 to 4.1.2. This vulnerability enables an attacker to inject arbitrary scripts into web pages viewed by administrative users. By enticing an admin to visit a maliciously crafted URL, the attacker could exploit this flaw to execute unwanted actions or steal sensitive information within the application.

Affected Version(s)

EC-CUBE 4 series EC-CUBE 4.0.0 to 4.1.2

References

https://www.ec-cube.net/info/weakness/20220909/
x_refsource_MISC
https://jvn.jp/en/jp/JVN21213852/index.html
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.