First published: Tue Sep 27 2022(Updated: )
DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page.
Credit: vultures@jpcert.or.jp vultures@jpcert.or.jp
Affected Software | Affected Version | How to fix |
---|---|---|
EC-CUBE EC-CUBE | >=4.0.0<=4.1.2 | |
composer/ec-cube/ec-cube | >=4.0.0<=4.1.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2022-38975.
The severity of CVE-2022-38975 is medium with a score of 5.4.
The affected software version range for CVE-2022-38975 is EC-CUBE 4.0.0 to 4.1.2.
CVE-2022-38975 allows a remote attacker to inject arbitrary script into the EC-CUBE 4 series by having an administrative user visit a specially crafted page.
To fix CVE-2022-38975, update EC-CUBE to a version beyond 4.1.2, which addresses the vulnerability.