VulnerableCode Package Details - pkg:composer/ec-cube/ec-cube@4.2.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-f13c-wzhp-cqap Aliases: CVE-2023-25077	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.	4.2.1 Affected by 0 other vulnerabilities.
VCID-fuus-wqhf-s3be Aliases: CVE-2023-46845	Improper Control of Generation of Code ('Code Injection') EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.	4.2.3 Affected by 0 other vulnerabilities.
VCID-he32-4cf1-akf5 Aliases: CVE-2023-22438	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script.	4.2.1 Affected by 0 other vulnerabilities.
VCID-kgjm-uhbj-gffx Aliases: CVE-2023-22838	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.	4.2.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-f13c-wzhp-cqap
Aliases:
CVE-2023-25077

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.

4.2.1
Affected by 0 other vulnerabilities.

VCID-fuus-wqhf-s3be
Aliases:
CVE-2023-46845

Improper Control of Generation of Code ('Code Injection') EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.

4.2.3
Affected by 0 other vulnerabilities.

VCID-he32-4cf1-akf5
Aliases:
CVE-2023-22438

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script.

4.2.1
Affected by 0 other vulnerabilities.

VCID-kgjm-uhbj-gffx
Aliases:
CVE-2023-22838

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.

4.2.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:46:15.470663+00:00	GitLab Importer	Affected by	VCID-fuus-wqhf-s3be	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/CVE-2023-46845.yml	38.6.0
2026-06-02T04:44:11.327046+00:00	GitLab Importer	Affected by	VCID-he32-4cf1-akf5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/CVE-2023-22438.yml	38.6.0
2026-06-02T04:44:10.379674+00:00	GitLab Importer	Affected by	VCID-kgjm-uhbj-gffx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/CVE-2023-22838.yml	38.6.0
2026-06-02T04:44:10.216518+00:00	GitLab Importer	Affected by	VCID-f13c-wzhp-cqap	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/CVE-2023-25077.yml	38.6.0