Cross-Site Scripting Vulnerability in EC-CUBE by EC-CUBE
CVE-2023-22838

5.4MEDIUM

Key Information:

Vendor: Ec-cube Co.,ltd.
Status: Ec-cube 4 Series
Vendor: CVE Published:; 6 March 2023

🔔 Create Ec-cube Co.,ltd. Vulnerability Alert

What is CVE-2023-22838?

A cross-site scripting vulnerability exists in the Product List Screen and Product Detail Screen of EC-CUBE versions 4.0.0 through 4.0.6-p2, 4.1.0 through 4.1.2-p1, and 4.2.0. This flaw enables a remote authenticated attacker to inject arbitrary scripts, which may lead to unauthorized actions being executed in the context of the user’s session, posing significant security risks.

Affected Version(s)

EC-CUBE 4 series EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0

References

https://www.ec-cube.net/info/weakness/20230214/

https://jvn.jp/en/jp/JVN04785663/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 6, 2023
Vulnerability Reserved
Feb 17, 2023