CVE-2021-20735

EPSS 0.35%
Published 22.06.2021 02:15:07
Last modified 21.11.2024 05:47:06
Source vultures@jpcert.or.jp
Teams watchlist Login
Open Login

Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to inject an arbitrary script by executing a specific operation on the management page of EC-CUBE.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Ec-cube ≫ Delivery Slip Number SwPlatformec-cube Version <= 1.0.10

Ec-cube ≫ Delivery Slip Number Csv Bulk Registration SwPlatformec-cube Version <= 1.0.8

Ec-cube ≫ Delivery Slip Number Mail SwPlatformec-cube Version <= 1.0.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.35%	0.542

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://jvn.jp/en/jp/JVN79254445/index.html

Third Party Advisory

https://www.ec-cube.net/release/detail.php?release_id=5087

Vendor Advisory

https://www.ec-cube.net/release/detail.php?release_id=5088

Vendor Advisory

https://www.ec-cube.net/release/detail.php?release_id=5089

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-20735

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-20735

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-20735

EUVD