Japan Vulnerability NotesJVN:67108459JVN#67108459: EC-CUBE plugin "Mail Magazine Management Plugin" vulnerable to cross-site request forgery
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
EPSS
Percentile
28.7%
EC-CUBE plugin “Mail Magazine Management Plugin” provided by EC-CUBE CO.,LTD. contains a cross-site request forgery vulnerability (CWE-352).
Impact
If a user with an administrative privilege views a malicious page while logged in to EC-CUBE which the plugin is installed, Mail Magazine Templates and/or transmitted history information may be deleted unintendedly.
Solution
Update the plugin
Update the plugin to the latest version according to the information provided by the developer.
The developer has released the following versions.
- ver4.1.2 (for EC-CUBE 4 series)
- ver1.0.5 (for EC-CUBE 3 series)
Products Affected
- Mail Magazine Management Plugin
- ver4.0.0 to 4.1.1 (for EC-CUBE 4 series)
- ver1.0.0 to 1.0.4 (for EC-CUBE 3 series)
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
EPSS
Percentile
28.7%