First published: Fri Sep 07 2018(Updated: )
Input validation issue in EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier allows an attacker with administrative rights to execute arbitrary PHP code on the server via unspecified vectors.
Credit: vultures@jpcert.or.jp
Affected Software | Affected Version | How to fix |
---|---|---|
Ec-cube Ec-cube Payment Module | <=2.3.17 | |
Gmo-pg Gmo-pg Payment Module | <=2.3.17 | |
EC-CUBE EC-CUBE | =2.11 | |
Ec-cube Ec-cube Payment Module | <=3.5.23 | |
Gmo-pg Gmo-pg Payment Module | <=3.5.23 | |
EC-CUBE EC-CUBE | =2.12 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this issue is CVE-2018-0658.
The severity of CVE-2018-0658 is high with a CVSS score of 7.2.
This vulnerability affects EC-CUBE Payment Module versions 2.12 and 3.5.23, and earlier versions.
This vulnerability affects GMO-PG Payment Module versions 2.12 and 3.5.23, and earlier versions.
To fix this vulnerability, update EC-CUBE Payment Module and GMO-PG Payment Module to versions 2.3.18 or 3.5.24, or apply the necessary patches provided by the vendors.