VulnerableCode Package Details - pkg:composer/ec-cube/ec-cube@4.3.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-tf8y-9k9g-jbct Aliases: GHSA-7rhv-h82h-vpjh	EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface # Vulnerability Allowing MFA Bypass ## Affected EC-CUBE Versions Versions: 4.1.0 – 4.3.1 ## Vulnerability Overview If an administrator’s ID and password are compromised, an issue exists that allows an attacker to bypass the normally required two-factor authentication (2FA) and log in to the administrative interface. ## Severity and Impact CVSS v3.1 score Base score: 6.2 / Temporal score: 5.7 / Environmental score (after mitigation and countermeasures): 0.0 An attacker can forcibly overwrite the 2FA configuration of an account with administrative privileges. As a result, the legitimate administrator can be locked out, while the attacker can log in to the administrative interface and perform unauthorized actions such as viewing sensitive information or tampering with the website. ## Root Cause Details There are flaws in the access control implementation for the 2FA settings page (`/admin/two_factor_auth/set`). 1. TwoFactorAuthListener.php The route for the 2FA settings page (`admin_two_factor_auth_set`) is included in the list of routes excluded from the 2FA authentication check. 2. TwoFactorAuthController.php Even for users who already have 2FA configured, the implementation allows reconfiguration (overwriting) of the 2FA secret key without passing 2FA authentication. ## Attack Preconditions and Steps Preconditions: - The attacker knows the administrative user’s ID and password. - 2FA is enabled for that user. Attack Steps: 1. Attempt to log in using the ID and password. 2. When the 2FA code entry screen is displayed, do not enter a code; instead, directly modify the URL to access `/admin/two_factor_auth/set`. 3. Because access is not denied, the attacker can generate and save (overwrite) a new 2FA secret key. # MFAバイパスが可能な脆弱性 ## EC-CUBEバージョンバージョン: 4.1.0 ~ 4.3.1	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-tf8y-9k9g-jbct
Aliases:
GHSA-7rhv-h82h-vpjh

EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface # Vulnerability Allowing MFA Bypass ## Affected EC-CUBE Versions Versions: 4.1.0 – 4.3.1 ## Vulnerability Overview If an administrator’s ID and password are compromised, an issue exists that allows an attacker to bypass the normally required two-factor authentication (2FA) and log in to the administrative interface. ## Severity and Impact **CVSS v3.1 score** Base score: 6.2 / Temporal score: 5.7 / Environmental score (after mitigation and countermeasures): 0.0 An attacker can forcibly overwrite the 2FA configuration of an account with administrative privileges. As a result, the legitimate administrator can be locked out, while the attacker can log in to the administrative interface and perform unauthorized actions such as viewing sensitive information or tampering with the website. ## Root Cause Details There are flaws in the access control implementation for the 2FA settings page (`/admin/two_factor_auth/set`). 1. **TwoFactorAuthListener.php** The route for the 2FA settings page (`admin_two_factor_auth_set`) is included in the list of routes excluded from the 2FA authentication check. 2. **TwoFactorAuthController.php** Even for users who already have 2FA configured, the implementation allows reconfiguration (overwriting) of the 2FA secret key without passing 2FA authentication. ## Attack Preconditions and Steps **Preconditions:** - The attacker knows the administrative user’s ID and password. - 2FA is enabled for that user. **Attack Steps:** 1. Attempt to log in using the ID and password. 2. When the 2FA code entry screen is displayed, do not enter a code; instead, directly modify the URL to access `/admin/two_factor_auth/set`. 3. Because access is not denied, the attacker can generate and save (overwrite) a new 2FA secret key. # MFAバイパスが可能な脆弱性 ## EC-CUBEバージョンバージョン: 4.1.0 ~ 4.3.1

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:51:23.444535+00:00	GitLab Importer	Affected by	VCID-tf8y-9k9g-jbct	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/GHSA-7rhv-h82h-vpjh.yml	38.6.0

2026-06-02T04:51:23.444535+00:00

GitLab Importer

Affected by

VCID-tf8y-9k9g-jbct

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/GHSA-7rhv-h82h-vpjh.yml

38.6.0

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk