Cross-Site Scripting Vulnerability in EC-CUBE by EC-CUBE Co., Ltd.
CVE-2023-25077

5.4MEDIUM

Key Information:

Vendor: Ec-cube Co.,ltd.
Status: Ec-cube 4 Series
Vendor: CVE Published:; 6 March 2023

🔔 Create Ec-cube Co.,ltd. Vulnerability Alert

What is CVE-2023-25077?

A cross-site scripting vulnerability exists in the Authentication Key Settings of EC-CUBE versions 4.0.0 to 4.0.6-p2, 4.1.0 to 4.1.2-p1, and 4.2.0. This vulnerability allows remote authenticated attackers to inject arbitrary scripts, potentially compromising user data and the integrity of web applications. Proper validation and sanitization of inputs are crucial for preventing exploitation.

Affected Version(s)

EC-CUBE 4 series EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0

References

https://www.ec-cube.net/info/weakness/20230214/

https://jvn.jp/en/jp/JVN04785663/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 6, 2023
Vulnerability Reserved
Feb 17, 2023