VYPR
Vendor

Ec Cube Co.,ltd.

Products
24
CVEs
72
Across products
86
Status
Private

Products

24

Recent CVEs

72
View all 72 CVEs →
  • CVE-2022-37346CriSep 27, 2022
    risk 0.64cvss 9.8epss 0.01

    EC-CUBE plugin 'Product Image Bulk Upload Plugin' 1.0.0 and 4.1.0 contains an insufficient verification vulnerability when uploading files. Exploiting this vulnerability allows a remote unauthenticated attacker to upload arbitrary files other than image files. If a user with an…

  • CVE-2016-4837CriAug 1, 2016
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in the Seed Coupon plugin before 1.6 for EC-CUBE allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2014-0808CriJan 22, 2014
    risk 0.59cvss 9.1epss 0.02

    Authorization bypass through user-controlled key issue exists in EC-CUBE 2.11.0 through 2.12.2 and EC-Orange systems deployed before June 29th, 2015. If this vulnerability is exploited, a user of the affected shopping website may obtain other users' information by sending a…

  • CVE-2016-1201HigApr 30, 2016
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE 3.0.0 through 3.0.9 allows remote attackers to hijack the authentication of administrators.

  • CVE-2022-23510CriDec 9, 2022
    risk 0.55cvss 9.6epss 0.01

    cube-js is a headless business intelligence platform. In version 0.31.23 all authenticated Cube clients could bypass SQL row-level security and run arbitrary SQL via the newly introduced /v1/sql-runner endpoint. This issue has been resolved in version 0.31.24. Users are advised…

  • CVE-2020-5590HigJun 19, 2020
    risk 0.53cvss 8.1epss 0.02

    Directory traversal vulnerability in EC-CUBE 3.0.0 to 3.0.18 and 4.0.0 to 4.0.3 allows remote authenticated attackers to delete arbitrary files and/or directories on the server via unspecified vectors.

  • CVE-2018-0564HigApr 20, 2018
    risk 0.53cvss 8.1epss 0.02

    Session fixation vulnerability in EC-CUBE (EC-CUBE 3.0.0, EC-CUBE 3.0.1, EC-CUBE 3.0.2, EC-CUBE 3.0.3, EC-CUBE 3..4, EC-CUBE 3.0.5, EC-CUBE 3.0.6, EC-CUBE 3.0.7, EC-CUBE 3.0.8, EC-CUBE 3.0.9, EC-CUBE 3.0.10, EC-CUBE 3.0.11, EC-CUBE 3.0.12, EC-CUBE 3.0.12-p1, EC-CUBE 3.0.13,…

  • CVE-2021-20778HigJul 1, 2021
    risk 0.49cvss 7.5epss 0.02

    Improper access control vulnerability in EC-CUBE 4.0.6 (EC-CUBE 4 series) allows a remote attacker to bypass access restriction and obtain sensitive information via unspecified vectors.

  • CVE-2020-5680HigDec 3, 2020
    risk 0.49cvss 7.5epss 0.01

    Improper input validation vulnerability in EC-CUBE versions from 3.0.5 to 3.0.18 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vector.

  • CVE-2024-41924HigJul 30, 2024
    risk 0.47cvss 7.2epss 0.00

    Acceptance of extraneous untrusted data with trusted data vulnerability exists in EC-CUBE 4 series. If this vulnerability is exploited, an attacker who obtained the administrative privilege may install an arbitrary PHP package. If the obsolete versions of PHP packages are…

  • CVE-2023-46845HigNov 7, 2023
    risk 0.47cvss 7.2epss 0.02

    EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be…

  • CVE-2018-0658HigSep 7, 2018
    risk 0.47cvss 7.2epss 0.01

    Input validation issue in EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, GMO-PG Payment Module (PG Multi-Payment Service)…

  • CVE-2021-20842MedNov 24, 2021
    risk 0.42cvss 6.5epss 0.01

    Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web page.

  • CVE-2021-20841MedNov 24, 2021
    risk 0.42cvss 6.5epss 0.01

    Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vectors.

  • CVE-2016-1200MedApr 30, 2016
    risk 0.41cvss 6.3epss 0.01

    The management screen in LOCKON EC-CUBE 3.0.7 through 3.0.9 allows remote authenticated users to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2016-1199.

  • CVE-2024-41141MedJul 30, 2024
    risk 0.40cvss 6.1epss 0.00

    Stored cross-site scripting vulnerability exists in EC-CUBE Web API Plugin. When there are multiple users using OAuth Management feature and one of them inputs some crafted value on the OAuth Management page, an arbitrary script may be executed on the web browser of the other…

  • CVE-2021-20828MedSep 17, 2021
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting vulnerability in Order Status Batch Change Plug-in (for EC-CUBE 3.0 series) all versions allows a remote attacker to inject an arbitrary script via unspecified vectors.

  • CVE-2021-20825MedSep 17, 2021
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting vulnerability in List (order management) item change plug-in (for EC-CUBE 3.0 series) Ver.1.1 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors.

  • CVE-2021-20751MedJun 28, 2021
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting vulnerability in EC-CUBE EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific operation.

  • CVE-2021-20750MedJun 28, 2021
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting vulnerability in EC-CUBE EC-CUBE 3.0.0 to 3.0.18-p2 (EC-CUBE 3 series) and EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a…

VYPR — Vulnerability Intelligence