Package Instance

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.

Improper Control of Generation of Code ('Code Injection')
EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.

EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface
# Vulnerability Allowing MFA Bypass

## Affected EC-CUBE Versions
Versions: 4.1.0 – 4.3.1

## Vulnerability Overview
If an administrator’s ID and password are compromised, an issue exists that allows an attacker to bypass the normally required two-factor authentication (2FA) and log in to the administrative interface.

## Severity and Impact

**CVSS v3.1 score**  
Base score: 6.2 / Temporal score: 5.7 / Environmental score (after mitigation and countermeasures): 0.0

An attacker can forcibly overwrite the 2FA configuration of an account with administrative privileges. As a result, the legitimate administrator can be locked out, while the attacker can log in to the administrative interface and perform unauthorized actions such as viewing sensitive information or tampering with the website.

## Root Cause Details

There are flaws in the access control implementation for the 2FA settings page (`/admin/two_factor_auth/set`).

1. **TwoFactorAuthListener.php**  
   The route for the 2FA settings page (`admin_two_factor_auth_set`) is included in the list of routes excluded from the 2FA authentication check.

2. **TwoFactorAuthController.php**  
   Even for users who already have 2FA configured, the implementation allows reconfiguration (overwriting) of the 2FA secret key without passing 2FA authentication.

## Attack Preconditions and Steps

**Preconditions:**
- The attacker knows the administrative user’s ID and password.
- 2FA is enabled for that user.

**Attack Steps:**
1. Attempt to log in using the ID and password.
2. When the 2FA code entry screen is displayed, do not enter a code; instead, directly modify the URL to access `/admin/two_factor_auth/set`.
3. Because access is not denied, the attacker can generate and save (overwrite) a new 2FA secret key.


# MFAバイパスが可能な脆弱性

## EC-CUBEバージョン
バージョン:  4.1.0 ~ 4.3.1