7.2

CVE-2023-46845

Exploit

EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.

Data is provided by the National Vulnerability Database (NVD)
Ec-cubeEc-cube Version >= 3.0.0 <= 3.0.18
Ec-cubeEc-cube Version >= 4.0.0 <= 4.0.6
Ec-cubeEc-cube Version >= 4.1.0 <= 4.1.2
Ec-cubeEc-cube Version >= 4.2.0 < 4.2.3
Ec-cubeEc-cube Version3.0.18 Updatep1
Ec-cubeEc-cube Version3.0.18 Updatep2
Ec-cubeEc-cube Version3.0.18 Updatep3
Ec-cubeEc-cube Version3.0.18 Updatep4
Ec-cubeEc-cube Version3.0.18 Updatep5
Ec-cubeEc-cube Version3.0.18 Updatep6
Ec-cubeEc-cube Version4.0.6 Updatep1
Ec-cubeEc-cube Version4.0.6 Updatep2
Ec-cubeEc-cube Version4.0.6 Updatep3
Ec-cubeEc-cube Version4.1.2 Updatep1
Ec-cubeEc-cube Version4.1.2 Updatep2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 1.18% 0.775
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://jvn.jp/en/jp/JVN29195731/
Third Party Advisory