First published: Thu Aug 17 2023(Updated: )
EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using the product.
Credit: vultures@jpcert.or.jp vultures@jpcert.or.jp
Affected Software | Affected Version | How to fix |
---|---|---|
EC-CUBE EC-CUBE | >=2.11.0<=2.11.5 | |
EC-CUBE EC-CUBE | >=2.12.0<=2.12.6 | |
EC-CUBE EC-CUBE | >=2.13.0<2.13.5 | |
EC-CUBE EC-CUBE | >=2.17.0<2.17.2 | |
EC-CUBE EC-CUBE | =2.13.5 | |
EC-CUBE EC-CUBE | =2.13.5-patch1 | |
EC-CUBE EC-CUBE | =2.17.2 | |
EC-CUBE EC-CUBE | =2.17.2-patch1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-40281 is a cross-site scripting vulnerability in EC-CUBE 2.11.0 to 2.17.2-p1.
CVE-2023-40281 affects EC-CUBE versions 2.11.0 to 2.17.2-p1.
CVE-2023-40281 has a severity rating of medium with a score of 4.8.
CVE-2023-40281 allows arbitrary script execution on the web browsers of administrators or users.
To fix CVE-2023-40281, update EC-CUBE to a version higher than 2.17.2-p1 and apply any available patches.