CVE-2023-40281

MEDIUM EPSS 28.1%
Published Aug 17, 20232y ago · Modified Jun 17, 20261w ago
4.8 CVSS 3.1
Medium
Find Similar
Published Aug 17, 2023 2y ago
Last Modified Jun 17, 2026 1w ago

Description

EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using the product.

CVSS Details

Base Score
4.8
Exploitability
1.7
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
28.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 8

VendorProductVersionRange
ec-cubeec-cube*≥2.11.0  –  ≤2.11.5
ec-cubeec-cube*≥2.12.0  –  ≤2.12.6
ec-cubeec-cube*≥2.13.0  –  <2.13.5
ec-cubeec-cube*≥2.17.0  –  <2.17.2
ec-cubeec-cube2.13.5any
ec-cubeec-cube2.13.5any
ec-cubeec-cube2.17.2any
ec-cubeec-cube2.17.2any

References 2

  • jvn.jp https://jvn.jp/en/jp/JVN46993816/
    Third Party Advisory
  • ec-cube.net https://www.ec-cube.net/info/weakness/20230727/
    MitigationPatchVendor Advisory

Remediation

  • ec-cube.net https://www.ec-cube.net/info/weakness/20230727/
    MitigationPatchVendor Advisory