VulnerableCode Package Details - pkg:composer/ec-cube/ec-cube@4.1.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-f13c-wzhp-cqap Aliases: CVE-2023-25077	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.	4.1.2-p1 Affected by 0 other vulnerabilities. 4.2.1 Affected by 0 other vulnerabilities.
VCID-fuus-wqhf-s3be Aliases: CVE-2023-46845	Improper Control of Generation of Code ('Code Injection') EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.	4.1.2-p1 Affected by 0 other vulnerabilities. 4.2.3 Affected by 0 other vulnerabilities.
VCID-he32-4cf1-akf5 Aliases: CVE-2023-22438	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script.	4.1.2-p1 Affected by 0 other vulnerabilities. 4.2.1 Affected by 0 other vulnerabilities.
VCID-kgjm-uhbj-gffx Aliases: CVE-2023-22838	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.	4.1.2-p1 Affected by 0 other vulnerabilities. 4.2.1 Affected by 0 other vulnerabilities.
VCID-tf8y-9k9g-jbct Aliases: GHSA-7rhv-h82h-vpjh	EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface # Vulnerability Allowing MFA Bypass ## Affected EC-CUBE Versions Versions: 4.1.0 – 4.3.1 ## Vulnerability Overview If an administrator’s ID and password are compromised, an issue exists that allows an attacker to bypass the normally required two-factor authentication (2FA) and log in to the administrative interface. ## Severity and Impact CVSS v3.1 score Base score: 6.2 / Temporal score: 5.7 / Environmental score (after mitigation and countermeasures): 0.0 An attacker can forcibly overwrite the 2FA configuration of an account with administrative privileges. As a result, the legitimate administrator can be locked out, while the attacker can log in to the administrative interface and perform unauthorized actions such as viewing sensitive information or tampering with the website. ## Root Cause Details There are flaws in the access control implementation for the 2FA settings page (`/admin/two_factor_auth/set`). 1. TwoFactorAuthListener.php The route for the 2FA settings page (`admin_two_factor_auth_set`) is included in the list of routes excluded from the 2FA authentication check. 2. TwoFactorAuthController.php Even for users who already have 2FA configured, the implementation allows reconfiguration (overwriting) of the 2FA secret key without passing 2FA authentication. ## Attack Preconditions and Steps Preconditions: - The attacker knows the administrative user’s ID and password. - 2FA is enabled for that user. Attack Steps: 1. Attempt to log in using the ID and password. 2. When the 2FA code entry screen is displayed, do not enter a code; instead, directly modify the URL to access `/admin/two_factor_auth/set`. 3. Because access is not denied, the attacker can generate and save (overwrite) a new 2FA secret key. # MFAバイパスが可能な脆弱性 ## EC-CUBEバージョンバージョン: 4.1.0 ~ 4.3.1	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-f13c-wzhp-cqap
Aliases:
CVE-2023-25077

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.

4.1.2-p1
Affected by 0 other vulnerabilities.

4.2.1
Affected by 0 other vulnerabilities.

VCID-fuus-wqhf-s3be
Aliases:
CVE-2023-46845

Improper Control of Generation of Code ('Code Injection') EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.

4.1.2-p1
Affected by 0 other vulnerabilities.

4.2.3
Affected by 0 other vulnerabilities.

VCID-he32-4cf1-akf5
Aliases:
CVE-2023-22438

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script.

4.1.2-p1
Affected by 0 other vulnerabilities.

4.2.1
Affected by 0 other vulnerabilities.

VCID-kgjm-uhbj-gffx
Aliases:
CVE-2023-22838

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.

4.1.2-p1
Affected by 0 other vulnerabilities.

4.2.1
Affected by 0 other vulnerabilities.

VCID-tf8y-9k9g-jbct
Aliases:
GHSA-7rhv-h82h-vpjh

EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface # Vulnerability Allowing MFA Bypass ## Affected EC-CUBE Versions Versions: 4.1.0 – 4.3.1 ## Vulnerability Overview If an administrator’s ID and password are compromised, an issue exists that allows an attacker to bypass the normally required two-factor authentication (2FA) and log in to the administrative interface. ## Severity and Impact **CVSS v3.1 score** Base score: 6.2 / Temporal score: 5.7 / Environmental score (after mitigation and countermeasures): 0.0 An attacker can forcibly overwrite the 2FA configuration of an account with administrative privileges. As a result, the legitimate administrator can be locked out, while the attacker can log in to the administrative interface and perform unauthorized actions such as viewing sensitive information or tampering with the website. ## Root Cause Details There are flaws in the access control implementation for the 2FA settings page (`/admin/two_factor_auth/set`). 1. **TwoFactorAuthListener.php** The route for the 2FA settings page (`admin_two_factor_auth_set`) is included in the list of routes excluded from the 2FA authentication check. 2. **TwoFactorAuthController.php** Even for users who already have 2FA configured, the implementation allows reconfiguration (overwriting) of the 2FA secret key without passing 2FA authentication. ## Attack Preconditions and Steps **Preconditions:** - The attacker knows the administrative user’s ID and password. - 2FA is enabled for that user. **Attack Steps:** 1. Attempt to log in using the ID and password. 2. When the 2FA code entry screen is displayed, do not enter a code; instead, directly modify the URL to access `/admin/two_factor_auth/set`. 3. Because access is not denied, the attacker can generate and save (overwrite) a new 2FA secret key. # MFAバイパスが可能な脆弱性 ## EC-CUBEバージョンバージョン: 4.1.0 ~ 4.3.1

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:51:23.439564+00:00	GitLab Importer	Affected by	VCID-tf8y-9k9g-jbct	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/GHSA-7rhv-h82h-vpjh.yml	38.6.0
2026-06-02T04:46:15.462691+00:00	GitLab Importer	Affected by	VCID-fuus-wqhf-s3be	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/CVE-2023-46845.yml	38.6.0
2026-06-02T04:44:11.318496+00:00	GitLab Importer	Affected by	VCID-he32-4cf1-akf5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/CVE-2023-22438.yml	38.6.0
2026-06-02T04:44:10.371595+00:00	GitLab Importer	Affected by	VCID-kgjm-uhbj-gffx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/CVE-2023-22838.yml	38.6.0
2026-06-02T04:44:10.207989+00:00	GitLab Importer	Affected by	VCID-f13c-wzhp-cqap	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/CVE-2023-25077.yml	38.6.0