Cross-Site Scripting Vulnerability in EC-CUBE Product Series by EC-CUBE
CVE-2023-22438

5.4MEDIUM

Key Information:

Vendor: Ec-cube Co.,ltd.
Status: Ec-cube 4 Series, Ec-cube 3 Series, And Ec-cube 2 Series
Vendor: CVE Published:; 6 March 2023

🔔 Create Ec-cube Co.,ltd. Vulnerability Alert

What is CVE-2023-22438?

A cross-site scripting vulnerability exists in the content management system of various EC-CUBE versions. This flaw permits authenticated attackers to inject arbitrary scripts into the web application, potentially compromising user data and website integrity. The vulnerability affects multiple series, including versions 4.0.0 through 4.0.6-p2, 4.1.0 through 4.1.2-p1, and earlier EC-CUBE 3 and 2 series versions, necessitating urgent attention from users to mitigate associated risks.

Affected Version(s)

EC-CUBE 4 series, EC-CUBE 3 series, and EC-CUBE 2 series EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, EC-CUBE 4.2.0, EC-CUBE 3.0.0 to 3.0.18-p5, EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2

References

https://www.ec-cube.net/info/weakness/20230214/

https://www.ec-cube.net/info/weakness/20230214/index_3.php

https://www.ec-cube.net/info/weakness/20230214/index_2.php

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 6, 2023
Vulnerability Reserved
Dec 28, 2022