Software Detail

Software Informaton Top

CMS

Software Detail

EC-CUBE

Number Of NVD

CRITICAL

HIGH

MEDIUM

LOW

URL	https://www.ec-cube.net/
Explanation	This is a CMS for building e-commerce sites made in Japan. It is currently supported in three versions: Series 2, Series 3, and Series 4. Support for Series 2 was scheduled to end with the release of Series 3, but due to the large number of users, support has been extended. With the Cloud version, you can use EC-CUBE right away without having to prepare a server.
Tag	オープンソース GPL v2

Add Information URL

No	Type	Name	URL
1			https://www.ec-cube.net/press/detail.php?press_id=212
2			https://www.ec-cube.net/download/
3			https://www.ec-cube.net/news/detail.php?news_id=84
4			https://github.com/EC-CUBE/ec-cube3
5			https://github.com/EC-CUBE/ec-cube2

List Of Product [ Click to show release history and vulnerability information ]

No	Name	Latest Version	Release date	Initial release	Normal Support	High	Medium	Low
21	EC-CUBE 4	4.3.1-p1	March 4, 2026	Oct. 11, 2018		3	8	1
22	EC-CUBE 3	3.0.18	July 5, 2019	July 1, 2015		5	7	1
23	EC-CUBE 2	2.13.5-p2	Aug. 17, 2023	Dec. 4, 2007		4	27	0
24	EC-CUBE 1	1.4.0	Oct. 1, 2008	Feb. 14, 2007	Nov. 6, 2008	2	9	0

NVD Vulnerability Information

CRITICAL
HIGH
MEDIUM
LOW

No	CVSS3 CVSS2	Level Attach Vector	Title	CWE	CVE	cpe23Uri	or less	Update date Published date	Show Affected	Exploit PoC Search
21	6.3 6.5	MEDIUM Network	The management screen in LOCKON EC-CUBE 3.0.7 through 3.0.9 allows remote authenticated users to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2016-1…	CWE-284 Improper Access Control	CVE-2016-1200	cpe:2.3:a:lockon:ec-cube:3.0.9:* cpe:2.3:a:lockon:ec-cube:3.0.8:* cpe:2.3:a:lockon:ec-cube:3.0.7:*		2024-11-21 11:45 2016-04-30	Show	GitHub Exploit DB Packet Storm

22	5.3 5.0	MEDIUM Network	The login page in the management screen in LOCKON EC-CUBE 3.0.0 through 3.0.9 allows remote attackers to bypass intended IP address restrictions via unspecified vectors, a different vulnerability tha…	CWE-200 Information Exposure	CVE-2016-1199	cpe:2.3:a:lockon:ec-cube:3.0.9:* cpe:2.3:a:lockon:ec-cube:3.0.8:* cpe:2.3:a:lockon:ec-cube:3.0.7:* cpe:2.3:a:l…		2024-11-21 11:45 2016-04-30	Show	GitHub Exploit DB Packet Storm

23	- 5.1	MEDIUM	Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE 2.11.0 through 2.13.3 allows remote attackers to hijack the authentication of arbitrary users for requests that write to PHP scripts,…	CWE-352 Origin Validation Error	CVE-2015-5665	cpe:2.3:a:lockon:ec-cube:2.13.2:* cpe:2.3:a:lockon:ec-cube:2.13.1:* cpe:2.3:a:lockon:ec-cube:2.13.0:* cpe:2.3:…		2024-11-21 11:33 2015-10-27	Show	GitHub Exploit DB Packet Storm

24	- 5.0	MEDIUM	Authorization bypass through user-controlled key issue exists in EC-CUBE 2.11.0 through 2.12.2 and EC-Orange systems deployed before June 29th, 2015. If this vulnerability is exploited, a user of the…	NVD-CWE-noinfo	CVE-2014-0808	cpe:2.3:a:lockon:ec-cube:2.12.2:* cpe:2.3:a:lockon:ec-cube:2.12.1:* cpe:2.3:a:lockon:ec-cube:2.12.0:* cpe:2.3:…		2024-11-21 11:02 2014-01-23	Show	GitHub Exploit DB Packet Storm

25	- 6.4	MEDIUM	data/class/pages/shopping/LC_Page_Shopping_Deliv.php in LOCKON EC-CUBE 2.4.4 and earlier, and 2.11.0 through 2.12.2, allows remote attackers to modify data via unspecified vectors.	NVD-CWE-noinfo	CVE-2014-0807	cpe:2.3:a:lockon:ec-cube:2.4.3:* cpe:2.3:a:lockon:ec-cube:2.4.2:* cpe:2.3:a:lockon:ec-cube:2.4.1:* cpe:2.3:a:l…	2.4.4	2024-11-21 11:02 2014-01-23	Show	GitHub Exploit DB Packet Storm

26	- 4.3	MEDIUM	Multiple cross-site scripting (XSS) vulnerabilities in shopping/payment.tpl components in LOCKON EC-CUBE 2.11.0 through 2.13.0 allow remote attackers to inject arbitrary web script or HTML via crafte…	CWE-79 Cross-site Scripting	CVE-2013-5996	cpe:2.3:a:lockon:ec-cube:2.13.0:* cpe:2.3:a:lockon:ec-cube:2.12.6en:* cpe:2.3:a:lockon:ec-cube:2.12.6:* cpe:2.…		2024-11-21 10:58 2013-11-21	Show	GitHub Exploit DB Packet Storm

27	- 5.5	MEDIUM	data/class/helper/SC_Helper_Address.php in the front-features implementation in LOCKON EC-CUBE 2.12.3 through 2.13.0 allows remote authenticated users to obtain sensitive information via unspecified …	CWE-200 Information Exposure	CVE-2013-5995	cpe:2.3:a:lockon:ec-cube:2.13.0:* cpe:2.3:a:lockon:ec-cube:2.12.6en:* cpe:2.3:a:lockon:ec-cube:2.12.6:* cpe:2.…		2024-11-21 10:58 2013-11-21	Show	GitHub Exploit DB Packet Storm

28	- 5.0	MEDIUM	data/class/pages/mypage/LC_Page_Mypage_DeliveryAddr.php in LOCKON EC-CUBE 2.11.2 through 2.13.0 allows remote attackers to obtain sensitive information via a direct request, which reveals the full pa…	CWE-200 Information Exposure	CVE-2013-5994	cpe:2.3:a:lockon:ec-cube:2.13.0:* cpe:2.3:a:lockon:ec-cube:2.12.6en:* cpe:2.3:a:lockon:ec-cube:2.12.6:* cpe:2.…		2024-11-21 10:58 2013-11-21	Show	GitHub Exploit DB Packet Storm

29	- 6.8	MEDIUM	Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE 2.11.0 through 2.13.0 allows remote attackers to hijack the authentication of arbitrary users via unspecified vectors related to refu…	CWE-352 Origin Validation Error	CVE-2013-5993	cpe:2.3:a:lockon:ec-cube:2.13.0:* cpe:2.3:a:lockon:ec-cube:2.12.6en:* cpe:2.3:a:lockon:ec-cube:2.12.6:* cpe:2.…		2024-11-21 10:58 2013-11-21	Show	GitHub Exploit DB Packet Storm

30	- 4.3	MEDIUM	Cross-site scripting (XSS) vulnerability in the displaySystemError function in html/handle_error.php in LOCKON EC-CUBE 2.11.0 through 2.11.5 allows remote attackers to inject arbitrary web script or …	CWE-79 Cross-site Scripting	CVE-2013-5992	cpe:2.3:a:lockon:ec-cube:2.11.5:* cpe:2.3:a:lockon:ec-cube:2.11.4:* cpe:2.3:a:lockon:ec-cube:2.11.3:* cpe:2.3:…		2024-11-21 10:58 2013-11-21	Show	GitHub Exploit DB Packet Storm