CVE-2016-4837

Vulnerability

The Seed Coupon plugin for EC-CUBE, versions 1.5 and earlier, contains a SQL injection vulnerability (CWE-89) [1]. The flaw exists in unspecified vectors within the plugin, allowing direct injection of SQL queries through input parameters. The plugin is a coupon management component for the EC-CUBE e-commerce platform.

Exploitation

An attacker can exploit this vulnerability remotely over the network without requiring any authentication or user interaction [2]. The attack complexity is low, meaning an attacker can send a specially crafted HTTP request to the vulnerable plugin endpoint, injecting arbitrary SQL commands. No special privileges or access rights are needed.

Impact

Successful exploitation allows a remote attacker to obtain or alter information stored in the underlying database [1]. This can lead to disclosure of sensitive data such as customer information or order details, as well as modification or deletion of database contents. The CVSS v3 base score for this vulnerability is 9.8 (Critical), though the JPCERT/CC reports a base score of 6.5 (Medium) [2].

Mitigation

The vendor, Seed Inc., released a fixed version 1.6 of the Coupon Plugin [1]. Users should update to the latest version according to the developer's information. No workarounds are documented. The vulnerability was disclosed in July 2016 and the fix released shortly after.