First published: Mon May 10 2021(Updated: )
Cross-site scripting vulnerability in EC-CUBE 4.0.0 to 4.0.5 allows a remote attacker to inject a specially crafted script in the specific input field of the EC web site which is created using EC-CUBE. As a result, it may lead to an arbitrary script execution on the administrator's web browser.
Credit: vultures@jpcert.or.jp vultures@jpcert.or.jp
Affected Software | Affected Version | How to fix |
---|---|---|
EC-CUBE EC-CUBE | >=4.0.0<4.0.5 | |
composer/ec-cube/ec-cube | >=4.0.0<=4.0.5 | |
>=4.0.0<4.0.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this cross-site scripting vulnerability is CVE-2021-20717.
The affected software of this vulnerability is EC-CUBE version 4.0.0 to 4.0.5.
The severity of vulnerability CVE-2021-20717 is medium with a CVSS score of 6.1.
This vulnerability allows a remote attacker to inject a specially crafted script in the specific input field of the EC web site, potentially leading to arbitrary script execution on the administrator's web browser.
To fix this vulnerability, it is recommended to update EC-CUBE to version 4.0.6 or later.