Vulnerabilities > CVE-2022-25355 - Improper Control of Dynamically-Managed Code Resources vulnerability in Ec-Cube

CVSS 5.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

LOW

Availability impact

NONE

network

low complexity

ec-cube

CWE-913

NVD

Published: 2022-02-24

Updated: 2023-08-08

Summary

EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users.

Vulnerable Configurations

Part	Description	Count
Application	Ec-Cube EC Cube EC Cube 3.0.18 EC Cube EC Cube 3.0.0 EC Cube EC Cube 3.0.1 EC Cube EC Cube 3.0.2 EC Cube EC Cube 3.0.3 EC Cube EC Cube 3.0.4 EC Cube EC Cube 3.0.5 EC Cube EC Cube 3.0.6 EC Cube EC Cube 3.0.7 EC Cube EC Cube 3.0.8 EC Cube EC Cube 3.0.9 EC Cube EC Cube 3.0.10 EC Cube EC Cube 3.0.11 EC Cube EC Cube 3.0.12 EC Cube EC Cube 3.0.13 EC Cube EC Cube 3.0.14 EC Cube EC Cube 3.0.15 EC Cube EC Cube 3.0.16 EC Cube EC Cube 3.0.17 EC Cube EC Cube 4.0.0 EC Cube EC Cube 4.0.1 EC Cube EC Cube 4.0.2 EC Cube EC Cube 4.0.3 EC Cube EC Cube 4.0.5 EC Cube EC Cube 4.0.6 EC Cube EC Cube 4.1.0 EC Cube EC Cube 4.1.1	47

Common Weakness Enumeration (CWE)

CWE-913 - Improper Control of Dynamically-Managed Code Resources

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References