Vulnerabilities > EC Cube > EC Cube > 4.0.0

DATE CVE VULNERABILITY TITLE RISK
2023-11-07 CVE-2023-46845 Code Injection vulnerability in Ec-Cube
EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product.
network
low complexity
ec-cube CWE-94
7.2
2023-03-06 CVE-2023-22438 Cross-site Scripting vulnerability in Ec-Cube
Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script.
network
low complexity
ec-cube CWE-79
5.4
2023-03-06 CVE-2023-22838 Cross-site Scripting vulnerability in Ec-Cube
Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.
network
low complexity
ec-cube CWE-79
5.4
2023-03-06 CVE-2023-25077 Cross-site Scripting vulnerability in Ec-Cube
Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.
network
low complexity
ec-cube CWE-79
5.4
2022-09-27 CVE-2022-38975 Cross-site Scripting vulnerability in Ec-Cube
DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page.
network
low complexity
ec-cube CWE-79
5.4
2022-09-27 CVE-2022-40199 Path Traversal vulnerability in Ec-Cube
Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product's directory structure information.
network
low complexity
ec-cube CWE-22
2.7
2022-02-24 CVE-2022-25355 Improper Control of Dynamically-Managed Code Resources vulnerability in Ec-Cube
EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users.
network
low complexity
ec-cube CWE-913
5.3
2021-06-28 CVE-2021-20750 Cross-site Scripting vulnerability in Ec-Cube
Cross-site scripting vulnerability in EC-CUBE EC-CUBE 3.0.0 to 3.0.18-p2 (EC-CUBE 3 series) and EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific operation.
network
ec-cube CWE-79
4.3
2021-06-28 CVE-2021-20751 Cross-site Scripting vulnerability in Ec-Cube
Cross-site scripting vulnerability in EC-CUBE EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific operation.
network
ec-cube CWE-79
4.3
2021-05-10 CVE-2021-20717 Cross-site Scripting vulnerability in Ec-Cube
Cross-site scripting vulnerability in EC-CUBE 4.0.0 to 4.0.5 allows a remote attacker to inject a specially crafted script in the specific input field of the EC web site which is created using EC-CUBE.
network
ec-cube CWE-79
4.3