Japan Vulnerability NotesJVN:79254445JVN#79254445: Multiple ETUNA EC-CUBE plugins vulnerable to cross-site scripting
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
54.5%
Multiple EC-CUBE plugins provided by ETUNA contain a cross-site scripting vulnerability (CWE-79).
An arbitrary script may be executed by executing a specific operation on the management page of EC-CUBE.
As of 2021 June 15, an attack exploting this vulnerability has been observed in the wild.
Impact
An arbitrary script may be executed on the web browser of the user who is accessing the administrative page of the affected product.
Solution
Update the software
Update to the latest version according to the information provided by the developer.
Products Affected
- Delivery slip number plugin (3.0 series) 1.0.10 and earlier
- Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier
- Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
54.5%