← Back

CVE-2023-40281

nvd nist
Published: Aug 17, 2023Modified: Jun 17, 2026

JSON object

Loading...
4.8
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Exploitability: 1.7 / Impact: 2.7
Source: NVD

Description

EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using the product.

Affected (8)

Products: Ec Cube: Ec Cube
Ec Cube
1 product
Ec Cube
Configuration A
8 vulnerable
Vulnerable SoftwareAffected Versions
Ec Cube
Ec Cube
From 2.11.0 to 2.11.5
Ec Cube
From 2.12.0 to 2.12.6
Ec Cube
From 2.13.0 to 2.13.5
Ec Cube
From 2.17.0 to 2.17.2
Ec Cube
Version 2.13.5
Ec Cube
Version 2.13.5 patch1
Ec Cube
Version 2.17.2
Ec Cube
Version 2.17.2 patch1

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

Source: vultures@jpcert.or.jp
Third Party Advisory
Source: vultures@jpcert.or.jp
MitigationPatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
MitigationPatchVendor Advisory

Timeline

No history available yet.