First published: Tue Nov 07 2023(Updated: )
EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.
Credit: vultures@jpcert.or.jp
Affected Software | Affected Version | How to fix |
---|---|---|
EC-CUBE EC-CUBE | >=3.0.0<=3.0.18 | |
EC-CUBE EC-CUBE | >=4.0.0<=4.0.6 | |
EC-CUBE EC-CUBE | >=4.1.0<=4.1.2 | |
EC-CUBE EC-CUBE | >=4.2.0<4.2.3 | |
EC-CUBE EC-CUBE | =3.0.18-p1 | |
EC-CUBE EC-CUBE | =3.0.18-p2 | |
EC-CUBE EC-CUBE | =3.0.18-p3 | |
EC-CUBE EC-CUBE | =3.0.18-p4 | |
EC-CUBE EC-CUBE | =3.0.18-p5 | |
EC-CUBE EC-CUBE | =3.0.18-p6 | |
EC-CUBE EC-CUBE | =4.0.6-p1 | |
EC-CUBE EC-CUBE | =4.0.6-p2 | |
EC-CUBE EC-CUBE | =4.0.6-p3 | |
EC-CUBE EC-CUBE | =4.1.2-p1 | |
EC-CUBE EC-CUBE | =4.1.2-p2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-46845 is a vulnerability found in EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2). It allows arbitrary code execution due to improper settings of the template engine Twig.
The severity of CVE-2023-46845 is rated as high with a severity score of 7.2.
To fix the CVE-2023-46845 vulnerability, you should update EC-CUBE to version 3.0.19 or higher for 3 series, or version 4.2.3 or higher for 4 series.
You can find more information about CVE-2023-46845 on the EC-CUBE official website
CWE-94 is the Common Weakness Enumeration category for Improper Control of Generation of Code (Code Injection).