CVE-2023-46845

Improper Control of Generation of Code ('Code Injection') in packagist/ec-cube/ec-cube

Identifiers

CVE-2023-46845

Package Slug

packagist/ec-cube/ec-cube

Vulnerability

Improper Control of Generation of Code ('Code Injection')

Description

EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.

Affected Versions

All versions starting from 3.0.0 up to 3.0.18, all versions starting from 4.0.0 up to 4.0.6, all versions starting from 4.1.0 up to 4.1.2, all versions starting from 4.2.0 before 4.2.3

Solution

Upgrade to versions 4.0.6-p1, 4.1.2-p1, 4.2.3 or above.

Last Modified

2023-11-17

source