CVE-2023-22438
packagist/ec-cube/ec-cube
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script.
All versions starting from 2.11.0 up to 2.11.5, all versions starting from 2.12.0 up to 2.12.6, all versions starting from 2.13.0 up to 2.13.5, all versions starting from 2.17.0 up to 2.17.2, all versions starting from 3.0.0 up to 3.0.18, all versions starting from 4.0.0 up to 4.0.6, all versions starting from 4.1.0 up to 4.1.2, version 4.2.0
Upgrade to versions 4.0.6-p1, 4.1.2-p1, 4.2.1 or above.
2023-03-14
source |