CVE-2023-46845

Published: Nov 7, 2023Modified: Jun 17, 2026

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.

Affected (15)

Products: Ec Cube: Ec Cube

Ec Cube

1 product

Ec Cube

Configuration A

15 vulnerable

Vulnerable Software	Affected Versions
Ec Cube Ec Cube	From 3.0.0 to 3.0.18
Ec Cube Ec Cube	From 4.0.0 to 4.0.6
Ec Cube Ec Cube	From 4.1.0 to 4.1.2
Ec Cube Ec Cube	From 4.2.0 to 4.2.3
Ec Cube Ec Cube	Version 3.0.18 p1
Ec Cube Ec Cube	Version 3.0.18 p2
Ec Cube Ec Cube	Version 3.0.18 p3
Ec Cube Ec Cube	Version 3.0.18 p4
Ec Cube Ec Cube	Version 3.0.18 p5
Ec Cube Ec Cube	Version 3.0.18 p6
Ec Cube Ec Cube	Version 4.0.6 p1
Ec Cube Ec Cube	Version 4.0.6 p2
Ec Cube Ec Cube	Version 4.0.6 p3
Ec Cube Ec Cube	Version 4.1.2 p1
Ec Cube Ec Cube	Version 4.1.2 p2