Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/ec-cube/ec-cube@2.11.0
purl pkg:composer/ec-cube/ec-cube@2.11.0
Next non-vulnerable version 3.0.17
Latest non-vulnerable version 4.2.3
Risk
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-5eu9-23qz-4uab
Aliases:
CVE-2018-0657
Cross-site Scripting A Cross-site scripting vulnerability in EC-CUBE Payment Module allow an attacker with administrator rights to inject arbitrary web script or HTML via unspecified vectors.
3.0.0
Affected by 4 other vulnerabilities.
VCID-9xhp-yr36-4qak
Aliases:
CVE-2023-40281
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using the product.
2.13.5
Affected by 1 other vulnerability.
2.17.2
Affected by 1 other vulnerability.
VCID-he32-4cf1-akf5
Aliases:
CVE-2023-22438
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script.
4.0.6-p1
Affected by 0 other vulnerabilities.
4.1.2-p1
Affected by 0 other vulnerabilities.
4.2.1
Affected by 0 other vulnerabilities.
VCID-mmfy-uhca-ukeq
Aliases:
CVE-2018-0658
Improper Input Validation An Input validation issue in EC-CUBE Payment Module allows an attacker with administrative rights to execute arbitrary PHP code on the server via unspecified vectors.
3.0.0
Affected by 4 other vulnerabilities.
VCID-nw9p-g3hb-sqg4
Aliases:
CVE-2021-20842
Cross-Site Request Forgery (CSRF) A Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series to allows a remote attacker to hijack the authentication of Administrators and delete Administrators via a specially crafted web page.
3.0.0
Affected by 4 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-02T04:45:36.303448+00:00 GitLab Importer Affected by VCID-9xhp-yr36-4qak https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/CVE-2023-40281.yml 38.6.0
2026-06-02T04:44:11.264222+00:00 GitLab Importer Affected by VCID-he32-4cf1-akf5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/CVE-2023-22438.yml 38.6.0
2026-06-02T04:40:35.567018+00:00 GitLab Importer Affected by VCID-nw9p-g3hb-sqg4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/CVE-2021-20842.yml 38.6.0
2026-06-02T04:38:13.402163+00:00 GitLab Importer Affected by VCID-mmfy-uhca-ukeq https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/CVE-2018-0658.yml 38.6.0
2026-06-02T04:38:13.365476+00:00 GitLab Importer Affected by VCID-5eu9-23qz-4uab https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/CVE-2018-0657.yml 38.6.0