Lucene search

[email protected]CVE-2018-0657

HistorySep 07, 2018 - 2:29 p.m.

CVE-2018-0657

2018-09-0714:29:02

CWE-79

[email protected]

web.nvd.nist.gov

cve-2018-0657

cross-site scripting

ec-cube

gmo-pg

payment module

vulnerability

security

arbitrary web script

html

injection

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

5.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.7%

JSON

Cross-site scripting vulnerability in EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE (EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, and GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier) allow an attacker with administrator rights to inject arbitrary web script or HTML via unspecified vectors.

Affected configurations

NVD

Node

ec-cubeec-cubeMatch2.11

AND

ec-cubeec-cube_payment_moduleRange≤2.3.17

gmo-pggmo-pg_payment_moduleRange≤2.3.17

Node

ec-cubeec-cubeMatch2.12

AND

ec-cubeec-cube_payment_moduleRange≤3.5.23

gmo-pggmo-pg_payment_moduleRange≤3.5.23

CPENameOperatorVersion
ec-cube:ec-cube_payment_moduleec-cube ec-cube payment modulele2.3.17
gmo-pg:gmo-pg_payment_modulegmo-pg gmo-pg payment modulele2.3.17

CPE	Name	Operator	Version
ec-cube:ec-cube_payment_module	ec-cube ec-cube payment module	le	2.3.17
gmo-pg:gmo-pg_payment_module	gmo-pg gmo-pg payment module	le	2.3.17

CNA Affected

[
  {
    "product": "EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE",
    "vendor": "GMO Payment Gateway, Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "(EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, and GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier)"
      }
    ]
  }
]

References

jvn.jp/en/jp/JVN06372244/index.html

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

5.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.7%

JSON

Related for CVE-2018-0657

prion1 cvelist1 nvd1 jvn1