Lucene search

Japan Vulnerability NotesJVN:57524494

HistoryJun 15, 2021 - 12:00 a.m.

JVN#57524494: Multiple cross-site scripting vulnerabilities in multiple EC-CUBE plugins provided by EC-CUBE

2021-06-1500:00:00

Japan Vulnerability Notes

jvn.jp

cross-site scripting

vulnerabilities

ec-cube plugins

cve-2021-20742

cve-2021-20743

cve-2021-20744

update the plugin

business form output plugin

email newsletters management plugin

category contents plugin

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

47.2%

JSON

Multiple EC-CUBE plugins provided by EC-CUBE CO.,LTD. contain multiple cross-site scripting vulnerabilities listed below.

Cross-site scripting vulnerability (CWE-79) - CVE-2021-20742

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L	Base Score: 7.1
CVSS v2	AV:N/AC:M/Au:N/C:P/I:P/A:P	Base Score: 6.8

Cross-site scripting vulnerability (CWE-79) - CVE-2021-20743

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

Cross-site scripting vulnerability (CWE-79) - CVE-2021-20744

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

Impact

If a remote attacker injects a specially crafted script in the specific input field of the EC web site which is created using EC-CUBE, an arbitrary script may be executed on the administrator’s web browser - CVE-2021-20742
If a remote attacker leads a user of the product to a specially crafted page and to perform a specific operation, an arbitrary script may be executed on the user’s web browser - CVE-2021-20743
If a remote attacker leads an administrator or a user of the product to a specially crafted page and to perform a specific operation, an arbitrary script may be executed on the administrator’s or the user’s web browser - CVE-2021-20744

Solution

Update the plugin
Update the plugin to the latest version according to the information provided by the developer.

Products Affected

CVE-2021-20742

Business form output plugin (for EC-CUBE 3.0 series) versions prior to version 1.0.1
CVE-2021-20743
Email newsletters management plugin (for EC-CUBE 3.0 series) versions prior to version 1.0.4
CVE-2021-20744
Category contents plugin (for EC-CUBE 3.0 series) versions prior to version 1.0.1
The developer states these issues exist in EC-CUBE 3.0.0 to 3.0.8 environment only, and do not exist in EC-CUBE 3.0.9 or later environment.

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

47.2%

JSON

Related for JVN:57524494