Remote code execution

2023-11-0708:15:00

PRIOn knowledge base

www.prio-n.com

remote code execution

ec-cube

twig template

7.9 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

44.8%

JSON

EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.

CPENameOperatorVersion
ec-cubege3.0.0
ec-cubele3.0.18
ec-cubeeq3.0.18 p1
ec-cubeeq3.0.18 p2
ec-cubeeq3.0.18 p3
ec-cubeeq3.0.18 p4
ec-cubeeq4.1.2 p1
ec-cubege4.1.0
ec-cubele4.1.2
ec-cubeeq4.0.6 p1

Name	Operator	Version
ec-cube	ge	3.0.0
ec-cube	le	3.0.18
ec-cube	eq	3.0.18 p1
ec-cube	eq	3.0.18 p2
ec-cube	eq	3.0.18 p3
ec-cube	eq	3.0.18 p4
ec-cube	eq	4.1.2 p1
ec-cube	ge	4.1.0
ec-cube	le	4.1.2
ec-cube	eq	4.0.6 p1