Software Detail

Software Informaton Top

CMS

Software Detail

EC-CUBE

Number Of NVD

CRITICAL

HIGH

MEDIUM

LOW

URL	https://www.ec-cube.net/
Explanation	This is a CMS for building e-commerce sites made in Japan. It is currently supported in three versions: Series 2, Series 3, and Series 4. Support for Series 2 was scheduled to end with the release of Series 3, but due to the large number of users, support has been extended. With the Cloud version, you can use EC-CUBE right away without having to prepare a server.
Tag	オープンソース GPL v2

Add Information URL

No	Type	Name	URL
1			https://www.ec-cube.net/press/detail.php?press_id=212
2			https://www.ec-cube.net/download/
3			https://www.ec-cube.net/news/detail.php?news_id=84
4			https://github.com/EC-CUBE/ec-cube3
5			https://github.com/EC-CUBE/ec-cube2

List Of Product [ Click to show release history and vulnerability information ]

No	Name	Latest Version	Release date	Initial release	Normal Support	High	Medium	Low
1	EC-CUBE 4	4.3.1-p1	March 4, 2026	Oct. 11, 2018		3	8	1
2	EC-CUBE 3	3.0.18	July 5, 2019	July 1, 2015		5	7	1
3	EC-CUBE 2	2.13.5-p2	Aug. 17, 2023	Dec. 4, 2007		4	27	0
4	EC-CUBE 1	1.4.0	Oct. 1, 2008	Feb. 14, 2007	Nov. 6, 2008	2	9	0

NVD Vulnerability Information

CRITICAL
HIGH
MEDIUM
LOW

No	CVSS3 CVSS2	Level Attach Vector	Title	CWE	CVE	cpe23Uri	or higher	or less	less than	Update date Published date	Show Affected	Exploit PoC Search
1	7.2 -	HIGH Network	EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the templat…	CWE-94 Code Injection	CVE-2023-46845	cpe:2.3:a:ec-cube:ec-cube:4.1.2:p2 cpe:2.3:a:ec-cube:ec-cube:4.1.2:p1 cpe:2.3:a:ec-cube:ec-cube:4.0.6:p3 cpe:2…	4.1.0 4.0.0 4.2.0 3.0.0	4.1.2 4.0.6 3.0.18	4.2.3	2024-11-21 17:29 2023-11-7	Show	GitHub Exploit DB Packet Storm

2	4.8 -	MEDIUM Network	EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page. If this vulnerability is exploited, an arbitrary script may be …	CWE-79 Cross-site Scripting	CVE-2023-40281	cpe:2.3:a:ec-cube:ec-cube:2.17.2:patch1 cpe:2.3:a:ec-cube:ec-cube:2.17.2:- cpe:2.3:a:ec-cube:ec-cube:2.13.5:patch…	2.12.0 2.11.0 2.13.0 2.17.0	2.12.6 2.11.5	2.13.5 2.17.2	2024-11-21 17:19 2023-08-17	Show	GitHub Exploit DB Packet Storm

3	5.4 -	MEDIUM Network	Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitr…	CWE-79 Cross-site Scripting	CVE-2023-25077	cpe:2.3:a:ec-cube:ec-cube:4.2.0:* cpe:2.3:a:ec-cube:ec-cube:4.1.2:p1 cpe:2.3:a:ec-cube:ec-cube:4.0.6:p2 cpe:2.…	4.1.0 4.0.0	4.1.2 4.0.6		2024-11-21 16:49 2023-03-6	Show	GitHub Exploit DB Packet Storm

4	5.4 -	MEDIUM Network	Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker t…	CWE-79 Cross-site Scripting	CVE-2023-22838	cpe:2.3:a:ec-cube:ec-cube:4.2.0:* cpe:2.3:a:ec-cube:ec-cube:4.1.2:p1 cpe:2.3:a:ec-cube:ec-cube:4.0.6:p2 cpe:2.…	4.1.0 4.0.0	4.1.2 4.0.6		2024-11-21 16:45 2023-03-6	Show	GitHub Exploit DB Packet Storm

5	5.4 -	MEDIUM Network	Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5),…	CWE-79 Cross-site Scripting	CVE-2023-22438	cpe:2.3:a:ec-cube:ec-cube:4.2.0:* cpe:2.3:a:ec-cube:ec-cube:4.1.2:p1 cpe:2.3:a:ec-cube:ec-cube:4.0.6:p2 cpe:2.…	3.0.0 4.1.0 4.0.0 2.17.0 2.13.0 2.12.0 2.11.0	3.0.18 4.1.2 4.0.6 2.17.2 2.13.5 2.12.6 2.11.5		2025-03-8 07:15 2023-03-6	Show	GitHub Exploit DB Packet Storm

6	2.7 -	LOW Network	Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privile…	CWE-22 Path Traversal	CVE-2022-40199	cpe:2.3:a:ec-cube:ec-cube:3.0.18:p4 cpe:2.3:a:ec-cube:ec-cube:3.0.18:p3 cpe:2.3:a:ec-cube:ec-cube:3.0.18:p2 cp…	3.0.0 4.0.0	4.1.2	3.0.18	2024-11-21 16:21 2022-09-28	Show	GitHub Exploit DB Packet Storm

7	5.4 -	MEDIUM Network	DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to vis…	CWE-79 Cross-site Scripting	CVE-2022-38975	cpe:2.3:a:ec-cube:ec-cube::	4.0.0	4.1.2		2024-11-21 16:17 2022-09-28	Show	GitHub Exploit DB Packet Storm

8	5.3 5.0	MEDIUM Network	EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send a…	CWE-913 Improper Control of Dynamically-Managed Code Resources	CVE-2022-25355	cpe:2.3:a:ec-cube:ec-cube:3.0.18:p3 cpe:2.3:a:ec-cube:ec-cube:3.0.18:p2 cpe:2.3:a:ec-cube:ec-cube:3.0.18:p1 cp…	3.0.0 4.0.0	4.1.1	3.0.18	2024-11-21 15:52 2022-02-25	Show	GitHub Exploit DB Packet Storm

9	6.5 4.3	MEDIUM Network	Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially cr…	CWE-352 Origin Validation Error	CVE-2021-20842	cpe:2.3:a:ec-cube:ec-cube::	2.11.0	2.17.1		2024-11-21 14:47 2021-11-25	Show	GitHub Exploit DB Packet Storm

10	6.5 4.0	MEDIUM Network	Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vect…	NVD-CWE-Other	CVE-2021-20841	cpe:2.3:a:ec-cube:ec-cube::	2.11.2	2.17.1		2024-11-21 14:47 2021-11-25	Show	GitHub Exploit DB Packet Storm