VYPR

Vendor CVEs

Ec Cube Co.,ltd.

All CVEs

72 total · sorted by risk
  • CVE-2022-37346CriSep 27, 2022
    risk 0.64cvss 9.8epss 0.01

    EC-CUBE plugin 'Product Image Bulk Upload Plugin' 1.0.0 and 4.1.0 contains an insufficient verification vulnerability when uploading files. Exploiting this vulnerability allows a remote unauthenticated attacker to upload arbitrary files other than image files. If a user with an…

  • CVE-2016-4837CriAug 1, 2016
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in the Seed Coupon plugin before 1.6 for EC-CUBE allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2014-0808CriJan 22, 2014
    risk 0.59cvss 9.1epss 0.02

    Authorization bypass through user-controlled key issue exists in EC-CUBE 2.11.0 through 2.12.2 and EC-Orange systems deployed before June 29th, 2015. If this vulnerability is exploited, a user of the affected shopping website may obtain other users' information by sending a…

  • CVE-2016-1201HigApr 30, 2016
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE 3.0.0 through 3.0.9 allows remote attackers to hijack the authentication of administrators.

  • CVE-2022-23510CriDec 9, 2022
    risk 0.55cvss 9.6epss 0.01

    cube-js is a headless business intelligence platform. In version 0.31.23 all authenticated Cube clients could bypass SQL row-level security and run arbitrary SQL via the newly introduced /v1/sql-runner endpoint. This issue has been resolved in version 0.31.24. Users are advised…

  • CVE-2020-5590HigJun 19, 2020
    risk 0.53cvss 8.1epss 0.02

    Directory traversal vulnerability in EC-CUBE 3.0.0 to 3.0.18 and 4.0.0 to 4.0.3 allows remote authenticated attackers to delete arbitrary files and/or directories on the server via unspecified vectors.

  • CVE-2018-0564HigApr 20, 2018
    risk 0.53cvss 8.1epss 0.02

    Session fixation vulnerability in EC-CUBE (EC-CUBE 3.0.0, EC-CUBE 3.0.1, EC-CUBE 3.0.2, EC-CUBE 3.0.3, EC-CUBE 3..4, EC-CUBE 3.0.5, EC-CUBE 3.0.6, EC-CUBE 3.0.7, EC-CUBE 3.0.8, EC-CUBE 3.0.9, EC-CUBE 3.0.10, EC-CUBE 3.0.11, EC-CUBE 3.0.12, EC-CUBE 3.0.12-p1, EC-CUBE 3.0.13,…

  • CVE-2021-20778HigJul 1, 2021
    risk 0.49cvss 7.5epss 0.02

    Improper access control vulnerability in EC-CUBE 4.0.6 (EC-CUBE 4 series) allows a remote attacker to bypass access restriction and obtain sensitive information via unspecified vectors.

  • CVE-2020-5680HigDec 3, 2020
    risk 0.49cvss 7.5epss 0.01

    Improper input validation vulnerability in EC-CUBE versions from 3.0.5 to 3.0.18 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vector.

  • CVE-2024-41924HigJul 30, 2024
    risk 0.47cvss 7.2epss 0.00

    Acceptance of extraneous untrusted data with trusted data vulnerability exists in EC-CUBE 4 series. If this vulnerability is exploited, an attacker who obtained the administrative privilege may install an arbitrary PHP package. If the obsolete versions of PHP packages are…

  • CVE-2023-46845HigNov 7, 2023
    risk 0.47cvss 7.2epss 0.02

    EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be…

  • CVE-2018-0658HigSep 7, 2018
    risk 0.47cvss 7.2epss 0.01

    Input validation issue in EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, GMO-PG Payment Module (PG Multi-Payment Service)…

  • CVE-2021-20842MedNov 24, 2021
    risk 0.42cvss 6.5epss 0.01

    Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web page.

  • CVE-2021-20841MedNov 24, 2021
    risk 0.42cvss 6.5epss 0.01

    Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vectors.

  • CVE-2016-1200MedApr 30, 2016
    risk 0.41cvss 6.3epss 0.01

    The management screen in LOCKON EC-CUBE 3.0.7 through 3.0.9 allows remote authenticated users to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2016-1199.

  • CVE-2024-41141MedJul 30, 2024
    risk 0.40cvss 6.1epss 0.00

    Stored cross-site scripting vulnerability exists in EC-CUBE Web API Plugin. When there are multiple users using OAuth Management feature and one of them inputs some crafted value on the OAuth Management page, an arbitrary script may be executed on the web browser of the other…

  • CVE-2021-20828MedSep 17, 2021
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting vulnerability in Order Status Batch Change Plug-in (for EC-CUBE 3.0 series) all versions allows a remote attacker to inject an arbitrary script via unspecified vectors.

  • CVE-2021-20825MedSep 17, 2021
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting vulnerability in List (order management) item change plug-in (for EC-CUBE 3.0 series) Ver.1.1 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors.

  • CVE-2021-20751MedJun 28, 2021
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting vulnerability in EC-CUBE EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific operation.

  • CVE-2021-20750MedJun 28, 2021
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting vulnerability in EC-CUBE EC-CUBE 3.0.0 to 3.0.18-p2 (EC-CUBE 3 series) and EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a…

  • CVE-2021-20744MedJun 22, 2021
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting vulnerability in EC-CUBE Category contents plugin (for EC-CUBE 3.0 series) versions prior to version 1.0.1 allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific…

  • CVE-2021-20743MedJun 22, 2021
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting vulnerability in EC-CUBE Email newsletters management plugin (for EC-CUBE 3.0 series) versions prior to version 1.0.4 allows a remote attacker to inject an arbitrary script by leading a user to a specially crafted page and to perform a specific operation.

  • CVE-2021-20742MedJun 22, 2021
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting vulnerability in EC-CUBE Business form output plugin (for EC-CUBE 3.0 series) versions prior to version 1.0.1 allows a remote attacker to inject an arbitrary script via unspecified vector.

  • CVE-2021-20735MedJun 22, 2021
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows…

  • CVE-2021-20717MedMay 10, 2021
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting vulnerability in EC-CUBE 4.0.0 to 4.0.5 allows a remote attacker to inject a specially crafted script in the specific input field of the EC web site which is created using EC-CUBE. As a result, it may lead to an arbitrary script execution on the…

  • CVE-2020-5679MedDec 3, 2020
    risk 0.40cvss 6.1epss 0.01

    Improper restriction of rendered UI layers or frames in EC-CUBE versions from 3.0.0 to 3.0.18 leads to clickjacking attacks. If a user accesses a specially crafted page while logged into the administrative page, unintended operations may be conducted.

  • CVE-2019-6003MedSep 12, 2019
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting vulnerability in EC-CUBE plugin 'Amazon Pay Plugin 2.12,2.13' version 2.4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2018-16191MedJan 9, 2019
    risk 0.40cvss 6.1epss 0.01

    Open redirect vulnerability in EC-CUBE (EC-CUBE 3.0.0, EC-CUBE 3.0.1, EC-CUBE 3.0.2, EC-CUBE 3.0.3, EC-CUBE 3.0.4, EC-CUBE 3.0.5, EC-CUBE 3.0.6, EC-CUBE 3.0.7, EC-CUBE 3.0.8, EC-CUBE 3.0.9, EC-CUBE 3.0.10, EC-CUBE 3.0.11, EC-CUBE 3.0.12, EC-CUBE 3.0.12-p1, EC-CUBE 3.0.13,…

  • CVE-2016-1180MedApr 8, 2016
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in the Cyber-Will Social-button Premium plugin before 1.1 for EC-CUBE 2.13.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2023-50709MedDec 13, 2023
    risk 0.35cvss 6.5epss 0.01

    Cube is a semantic layer for building data applications. Prior to version 0.34.34, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. The issue has been patched in `v0.34.34` and it's recommended that all…

  • CVE-2023-25077MedMar 6, 2023
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.

  • CVE-2023-22838MedMar 6, 2023
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.

  • CVE-2023-22438MedMar 6, 2023
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6,…

  • CVE-2022-38975MedSep 27, 2022
    risk 0.35cvss 5.4epss 0.01

    DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page.

  • CVE-2022-25355MedFeb 24, 2022
    risk 0.35cvss 5.3epss 0.01

    EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users.

  • CVE-2016-1199MedApr 30, 2016
    risk 0.35cvss 5.3epss 0.01

    The login page in the management screen in LOCKON EC-CUBE 3.0.0 through 3.0.9 allows remote attackers to bypass intended IP address restrictions via unspecified vectors, a different vulnerability than CVE-2016-1200.

  • CVE-2023-40281MedAug 17, 2023
    risk 0.31cvss 4.8epss 0.00

    EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed…

  • CVE-2018-0657MedSep 7, 2018
    risk 0.31cvss 4.8epss 0.01

    Cross-site scripting vulnerability in EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE (EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG…

  • CVE-2022-27174MedJun 13, 2022
    risk 0.28cvss 4.3epss 0.00

    Cross-site request forgery (CSRF) vulnerability in Easy Blog for EC-CUBE4 Ver.1.0.1 and earlier allows a remote unauthenticated attacker to hijack the authentication of the administrator and delete a blog article or a category via a specially crafted page.

  • CVE-2022-21179MedFeb 24, 2022
    risk 0.28cvss 4.3epss 0.00

    Cross-site request forgery (CSRF) vulnerability in EC-CUBE plugin 'Mail Magazine Management Plugin' ver4.0.0 to 4.1.1 (for EC-CUBE 4 series) and ver1.0.0 to 1.0.4 (for EC-CUBE 3 series) allows a remote unauthenticated attacker to hijack the authentication of an administrator via…

  • CVE-2022-40199LowSep 27, 2022
    risk 0.18cvss 2.7epss 0.01

    Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product's directory structure information.

  • CVE-2026-30777Mar 5, 2026
    risk 0.00cvss epss 0.00

    EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication (MFA) bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page.

  • CVE-2026-25958Feb 9, 2026
    risk 0.00cvss epss 0.00

    Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14.

  • CVE-2026-25957Feb 9, 2026
    risk 0.00cvss epss 0.00

    Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2.

  • CVE-2015-5665Oct 27, 2015
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE 2.11.0 through 2.13.3 allows remote attackers to hijack the authentication of arbitrary users for requests that write to PHP scripts, related to the doValidToken function.

  • CVE-2014-0807Jan 22, 2014
    risk 0.00cvss epss 0.02

    data/class/pages/shopping/LC_Page_Shopping_Deliv.php in LOCKON EC-CUBE 2.4.4 and earlier, and 2.11.0 through 2.12.2, allows remote attackers to modify data via unspecified vectors.

  • CVE-2013-5996Nov 21, 2013
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in shopping/payment.tpl components in LOCKON EC-CUBE 2.11.0 through 2.13.0 allow remote attackers to inject arbitrary web script or HTML via crafted values.

  • CVE-2013-5995Nov 21, 2013
    risk 0.00cvss epss 0.01

    data/class/helper/SC_Helper_Address.php in the front-features implementation in LOCKON EC-CUBE 2.12.3 through 2.13.0 allows remote authenticated users to obtain sensitive information via unspecified vectors related to addresses.

  • CVE-2013-5994Nov 21, 2013
    risk 0.00cvss epss 0.01

    data/class/pages/mypage/LC_Page_Mypage_DeliveryAddr.php in LOCKON EC-CUBE 2.11.2 through 2.13.0 allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message.

  • CVE-2013-5993Nov 21, 2013
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE 2.11.0 through 2.13.0 allows remote attackers to hijack the authentication of arbitrary users via unspecified vectors related to refusals.

Page 1 of 2