Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
EC-CUBE Number Of NVD 50 CRITICAL 0 HIGH 10 MEDIUM 39 LOW 1
URL https://www.ec-cube.net/
Explanation This is a CMS for building e-commerce sites made in Japan.
It is currently supported in three versions: Series 2, Series 3, and Series 4.
Support for Series 2 was scheduled to end with the release of Series 3, but due to the large number of users, support has been extended.

With the Cloud version, you can use EC-CUBE right away without having to prepare a server.
Tag
  • オープンソース
  • GPL v2
Add Information URL
No Type Name URL
1 https://www.ec-cube.net/press/detail.php?press_id=212
2 https://www.ec-cube.net/download/
3 https://www.ec-cube.net/news/detail.php?news_id=84
4 https://github.com/EC-CUBE/ec-cube3
5 https://github.com/EC-CUBE/ec-cube2
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
11 EC-CUBE 4 4.3.1-p1 March 4, 2026 Oct. 11, 2018 0 3 8 1
12 EC-CUBE 3 3.0.18 July 5, 2019 July 1, 2015 0 5 7 1
13 EC-CUBE 2 2.13.5-p2 Aug. 17, 2023 Dec. 4, 2007 0 4 27 0
14 EC-CUBE 1 1.4.0 Oct. 1, 2008 Feb. 14, 2007 Nov. 6, 2008 0 2 9 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
11 7.5
5.0 		HIGH
Network 		Improper access control vulnerability in EC-CUBE 4.0.6 (EC-CUBE 4 series) allows a remote attacker to bypass access restriction and obtain sensitive information via unspecified vectors. NVD-CWE-Other
CVE-2021-20778 cpe:2.3:a:ec-cube:ec-cube:4.0.6:- 2024-11-21 14:47
2021-07-1 		Show GitHub Exploit DB Packet Storm
12 6.1
4.3 		MEDIUM
Network 		Cross-site scripting vulnerability in EC-CUBE EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially … CWE-79
Cross-site Scripting 		CVE-2021-20751 cpe:2.3:a:ec-cube:ec-cube:4.0.5.:-
cpe:2.3:a:ec-cube:ec-cube:*:* 		4.0.0 4.0.5 2024-11-21 14:47
2021-06-28 		Show GitHub Exploit DB Packet Storm
13 6.1
4.3 		MEDIUM
Network 		Cross-site scripting vulnerability in EC-CUBE EC-CUBE 3.0.0 to 3.0.18-p2 (EC-CUBE 3 series) and EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by … CWE-79
Cross-site Scripting 		CVE-2021-20750 cpe:2.3:a:ec-cube:ec-cube:4.0.5:-
cpe:2.3:a:ec-cube:ec-cube:3.0.18:p1
cpe:2.3:a:ec-cube:ec-cube:3.0.18:-
cpe:2… 		4.0.0
3.0.0

4.0.5
3.0.18 		2024-11-21 14:47
2021-06-28 		Show GitHub Exploit DB Packet Storm
14 6.1
4.3 		MEDIUM
Network 		Cross-site scripting vulnerability in EC-CUBE 4.0.0 to 4.0.5 allows a remote attacker to inject a specially crafted script in the specific input field of the EC web site which is created using EC-CUB… CWE-79
Cross-site Scripting 		CVE-2021-20717 cpe:2.3:a:ec-cube:ec-cube:*:* 4.0.0 4.0.5 2024-11-21 14:47
2021-05-10 		Show GitHub Exploit DB Packet Storm
15 7.5
5.0 		HIGH
Network 		Improper input validation vulnerability in EC-CUBE versions from 3.0.5 to 3.0.18 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vector. CWE-20
 Improper Input Validation  		CVE-2020-5680 cpe:2.3:a:ec-cube:ec-cube:*:* 3.0.5 3.0.18 2024-11-21 14:34
2020-12-3 		Show GitHub Exploit DB Packet Storm
16 6.1
4.3 		MEDIUM
Network 		Improper restriction of rendered UI layers or frames in EC-CUBE versions from 3.0.0 to 3.0.18 leads to clickjacking attacks. If a user accesses a specially crafted page while logged into the administ… CWE-1021
 Improper Restriction of Rendered UI Layers or Frames 		CVE-2020-5679 cpe:2.3:a:ec-cube:ec-cube:*:* 3.0.0 3.0.18 2024-11-21 14:34
2020-12-3 		Show GitHub Exploit DB Packet Storm
17 8.1
5.5 		HIGH
Network 		Directory traversal vulnerability in EC-CUBE 3.0.0 to 3.0.18 and 4.0.0 to 4.0.3 allows remote authenticated attackers to delete arbitrary files and/or directories on the server via unspecified vector… CWE-22
Path Traversal 		CVE-2020-5590 cpe:2.3:a:ec-cube:ec-cube:*:* 4.0.0
3.0.0 		4.0.3
3.0.18

2024-11-21 14:34
2020-06-19 		Show GitHub Exploit DB Packet Storm
18 6.1
5.8 		MEDIUM
Network 		Open redirect vulnerability in EC-CUBE (EC-CUBE 3.0.0, EC-CUBE 3.0.1, EC-CUBE 3.0.2, EC-CUBE 3.0.3, EC-CUBE 3.0.4, EC-CUBE 3.0.5, EC-CUBE 3.0.6, EC-CUBE 3.0.7, EC-CUBE 3.0.8, EC-CUBE 3.0.9, EC-CUBE 3… CWE-601
Open Redirect 		CVE-2018-16191 cpe:2.3:a:ec-cube:ec-cube:*:* 3.0.0 3.0.16 2024-11-21 12:52
2019-01-10 		Show GitHub Exploit DB Packet Storm
19 8.1
5.8 		HIGH
Network 		Session fixation vulnerability in EC-CUBE (EC-CUBE 3.0.0, EC-CUBE 3.0.1, EC-CUBE 3.0.2, EC-CUBE 3.0.3, EC-CUBE 3..4, EC-CUBE 3.0.5, EC-CUBE 3.0.6, EC-CUBE 3.0.7, EC-CUBE 3.0.8, EC-CUBE 3.0.9, EC-CUBE… CWE-384
 Session Fixation 		CVE-2018-0564 cpe:2.3:a:lockon:ec-cube:*:* 3.0.0 3.0.15 2024-11-21 12:38
2018-04-20 		Show GitHub Exploit DB Packet Storm
20 8.8
6.8 		HIGH
Network 		Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE 3.0.0 through 3.0.9 allows remote attackers to hijack the authentication of administrators. CWE-352
 Origin Validation Error 		CVE-2016-1201 cpe:2.3:a:lockon:ec-cube:3.0.9:*
cpe:2.3:a:lockon:ec-cube:3.0.8:*
cpe:2.3:a:lockon:ec-cube:3.0.7:*
cpe:2.3:a:l… 		2024-11-21 11:45
2016-04-30 		Show GitHub Exploit DB Packet Storm