Vulnerabilities > EC Cube

DATE CVE VULNERABILITY TITLE RISK
2023-11-07 CVE-2023-46845 Code Injection vulnerability in Ec-Cube
EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product.
network
low complexity
ec-cube CWE-94
7.2
2023-08-17 CVE-2023-40281 Cross-site Scripting vulnerability in Ec-Cube
EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using the product.
network
low complexity
ec-cube CWE-79
4.8
2023-03-06 CVE-2023-22438 Cross-site Scripting vulnerability in Ec-Cube
Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script.
network
low complexity
ec-cube CWE-79
5.4
2023-03-06 CVE-2023-22838 Cross-site Scripting vulnerability in Ec-Cube
Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.
network
low complexity
ec-cube CWE-79
5.4
2023-03-06 CVE-2023-25077 Cross-site Scripting vulnerability in Ec-Cube
Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.
network
low complexity
ec-cube CWE-79
5.4
2022-09-27 CVE-2022-37346 Unrestricted Upload of File with Dangerous Type vulnerability in Ec-Cube Product Image Bulk Upload 1.0.0/4.1.0
EC-CUBE plugin 'Product Image Bulk Upload Plugin' 1.0.0 and 4.1.0 contains an insufficient verification vulnerability when uploading files.
network
low complexity
ec-cube CWE-434
critical
9.8
2022-09-27 CVE-2022-38975 Cross-site Scripting vulnerability in Ec-Cube
DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page.
network
low complexity
ec-cube CWE-79
5.4
2022-09-27 CVE-2022-40199 Path Traversal vulnerability in Ec-Cube
Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product's directory structure information.
network
low complexity
ec-cube CWE-22
2.7
2022-02-24 CVE-2022-21179 Cross-Site Request Forgery (CSRF) vulnerability in Ec-Cube E-Mail Newsletter Management
Cross-site request forgery (CSRF) vulnerability in EC-CUBE plugin 'Mail Magazine Management Plugin' ver4.0.0 to 4.1.1 (for EC-CUBE 4 series) and ver1.0.0 to 1.0.4 (for EC-CUBE 3 series) allows a remote unauthenticated attacker to hijack the authentication of an administrator via a specially crafted page, and Mail Magazine Templates and/or transmitted history information may be deleted unintendedly.
network
ec-cube CWE-352
4.3
2022-02-24 CVE-2022-25355 Improper Control of Dynamically-Managed Code Resources vulnerability in Ec-Cube
EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users.
network
low complexity
ec-cube CWE-913
5.3