Japan Vulnerability NotesJVN:15637138JVN#15637138: EC-Orange vulnerable to authorization bypass
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
79.3%
EC-Orange provided by S-cubism Inc. is an e-commerce website building system package based on an open source software EC-CUBE.
EC-Orange contains an authorization bypass vulnerability (CWE-639).
This is the same issue as JVN#51770585 (EC-CUBE vulnerable to authorization bypass).
Impact
A user of the affected shopping website may obtain other users’ information by sending a crafted HTTP request.
Solution
Update the Software or Apply the Patch
Update the software to the latest version or apply the patch according to the information provided by the developer.
For the systems deployed after June 29th, 2015, the issue has been already resolved.
Products Affected
- Systems deployed before June 29th, 2015
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
79.3%