JPCERT-AT-2021-0028
JPCERT/CC
2021-06-15
I. Overview
JPCERT/CC has confirmed information regarding vulnerabilities in multiple EC-CUBE 3.0 series plugins. These products contain cross site scripting vulnerabilities, and by leveraging these vulnerabilities,a remote attacker may execute arbitrary script on the site administrator’s web browser or users’ web browser. For more information, please refer to the information provided by developer.In addition, JPCERT/CC has confirmed the attacks that exploit the vulnerability (CVE-2021-20735). Users of the affected products are recommended to update to the latest version as soon as possible.
ETUNA (CVE-2021-20735)
Request for response to vulnerability in Delivery slip number plugin (3.0 series) (2021/06/11) (Japanese)
https://www.ec-cube.net/release/detail.php?release_id=5088
Request for response to vulnerability in Delivery slip number csv bulk registration plugin (3.0 series) (2021/06/11) (Japanese)
https://www.ec-cube.net/release/detail.php?release_id=5087
Request for response to vulnerability in Delivery slip number mail plugin (3.0 series) (2021/06/11) (Japanese)
https://www.ec-cube.net/release/detail.php?release_id=5089
EC-CUBE CO.,LTD. (CVE-2021-20742, CVE-2021-20743, CVE-2021-20744)
Business form output plugin version 1.0.1 has been released (2021/06/14) (Japanese)
https://www.ec-cube.net/release/detail.php?release_id=5091
Email newsletters management plugin version 1.0.4 has been released (2021/06/14) (Japanese)
https://www.ec-cube.net/release/detail.php?release_id=5090
Category contents plugin version 1.0.1 has been released (2021/06/14) (Japanese)
https://www.ec-cube.net/release/detail.php?release_id=5092
II. Affected Products and Versions
Affected products and versions are the following EC-CUBE 3.0 series plugins.
ETUNA (CVE-2021-20735)
– Delivery slip number plugin (3.0 series) 1.0.10 and earlier
– Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier
– Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier
EC-CUBE CO.,LTD.
– Business form output plugin versions prior to version 1.0.1 – CVE-2021-20742
– Email newsletters management plugin versions prior to version 1.0.4 – CVE-2021-20743
– Category contents plugin versions prior to version 1.0.1 – CVE-2021-20744
According to the EC-CUBE CO.,LTD., the vulnerabilities (CVE-2021-20742,CVE-2021-20743, CVE-2021-20744) exist only in EC-CUBE 3.0.0 to 3.0.8 environments, EC-CUBE versions 3.0.9 and later are not affected.
III. Solution
Developers released versions that address these vulnerabilities.Please consider applying the latest version by referring to the information published by each developer.
ETUNA
– Delivery slip number plugin (3.0 series) version 1.0.11 or later
– Delivery slip number csv bulk registration plugin (3.0 series) version 1.0.9 or later
– Delivery slip number mail plugin (3.0 series) version 1.0.9 or later
EC-CUBE CO.,LTD.
– Business form output plugin version 1.0.1
– Email newsletters management plugin version 1.0.4
– Category contents plugin version 1.0.1
IV. References
Japan Vulnerability Notes JVN#79254445
Multiple ETUNA EC-CUBE plugins vulnerable to cross-site scripting
https://jvn.jp/en/jp/JVN79254445/
Japan Vulnerability Notes JVN#57524494
Multiple cross-site scripting vulnerabilities in multiple EC-CUBE plugins provided by EC-CUBE
https://jvn.jp/en/jp/JVN57524494/
If you have any information regarding this alert, please contact JPCERT/CC.
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/
The post Security Alert: Alert Regarding Cross Site Scripting Vulnerabilities in Multiple EC-CUBE 3.0 Series Plugins appeared first on Malware Devil.
https://malwaredevil.com/2021/06/15/security-alert-alert-regarding-cross-site-scripting-vulnerabilities-in-multiple-ec-cube-3-0-series-plugins/?utm_source=rss&utm_medium=rss&utm_campaign=security-alert-alert-regarding-cross-site-scripting-vulnerabilities-in-multiple-ec-cube-3-0-series-plugins
No comments:
Post a Comment