• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: EC-CUBE SQL Injection and Cross-Site Scripting Vulnerabilities

Severity: MODERATE

Description:

EC-CUBE is an open-source system for creating shopping sites. It is implemented in PHP.

The application is prone to three unspecified cross-site scripting issues and one unspecified SQL-injection issue because it fails to sufficiently sanitize user-supplied input.

An attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

The attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

The following versions are vulnerable:

EC-CUBE 2.1.2a and earlier
EC-CUBE 2.3.0-rc1 and earlier
EC-CUBE 2.2.0-beta and earlier
EC-CUBE 2.1.1-beta and earlier

EC-CUBE 1.4.6 and earlier
EC-CUBE 1.5.0-beta and earlier

EC-CUBE Community Edition 1.3.4 and earlier
EC-CUBE Community Edition Nightly-Build r17319 and earlier
EC-CUBE Community Edition Nightly-Build r17336 and earlier
EC-CUBE Community Edition Nightly-Build r17623 and earlier

Affected Products:

• EC-CUBE EC-CUBE 1.0.0
• EC-CUBE EC-CUBE 1.0.1a beta
• EC-CUBE EC-CUBE 1.4.6
• EC-CUBE EC-CUBE 1.5.0-beta
• EC-CUBE EC-CUBE 2.1.1-beta
• EC-CUBE EC-CUBE 2.1.2a
• EC-CUBE EC-CUBE 2.2.0-beta
• EC-CUBE EC-CUBE 2.3.0-rc1
• EC-CUBE EC-CUBE Community Edition 1.3.4
• EC-CUBE EC-CUBE Community Edition Nightly-Build r17319
• EC-CUBE EC-CUBE Community Edition Nightly-Build r17336
• EC-CUBE EC-CUBE Community Edition Nightly-Build r17623

References:

• EC-CUBE: Vendor Homepage
• JVN: JVN#26621646 EC-CUBE cross-site scripting vulnerability
• JVN: JVN#36085487 EC-CUBE cross-site scripting vulnerability
• JVN: JVN#81111541 EC-CUBE vulnerable to SQL injection
• JVN: JVN#99916563 EC-CUBE cross-site scripting vulnerability

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.