First published: Tue Sep 27 2022(Updated: )
Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product's directory structure information.
Credit: vultures@jpcert.or.jp vultures@jpcert.or.jp
Affected Software | Affected Version | How to fix |
---|---|---|
EC-CUBE EC-CUBE | >=3.0.0<3.0.18 | |
EC-CUBE EC-CUBE | >=4.0.0<=4.1.2 | |
EC-CUBE EC-CUBE | =3.0.18 | |
EC-CUBE EC-CUBE | =3.0.18-p1 | |
EC-CUBE EC-CUBE | =3.0.18-p2 | |
EC-CUBE EC-CUBE | =3.0.18-p3 | |
EC-CUBE EC-CUBE | =3.0.18-p4 | |
composer/ec-cube/ec-cube | >=4.0.0<=4.1.2 | |
composer/ec-cube/ec-cube | >=3.0.0<=3.0.18-p4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this directory traversal vulnerability is CVE-2022-40199.
The EC-CUBE 3 series (version 3.0.0 to 3.0.18-p4) and EC-CUBE 4 series (version 4.0.0 to 4.1.2) are affected by this vulnerability.
The severity of CVE-2022-40199 is low, with a severity value of 2.7.
This vulnerability allows a remote authenticated attacker with an administrative privilege to obtain the product's directory structure information.
To fix CVE-2022-40199, it is recommended to update EC-CUBE to the latest version available, which includes a patch for this vulnerability.