Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in EC-CUBE

PRINT PAGE

IT Security

IPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in EC-CUBE

December 7, 2009
>> JAPANESE

Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki) has issued a security alert concerning a security vulnerability in EC-CUBE on December 7, 2009.
This vulnerability can lead to the leakage of information stored in the EC-CUBE system. If exploited, customer information held in the EC-CUBE system may be disclosed to a malicious attacker.
To fix this vulnerability, update to the fixed version or modify a system file following the instruction provided by the product developer.

1.Overview

EC-CUBE from LOCKON CO. LTD., is an open source software for creating online shopping websites.

EC-CUBE has a security vulnerability which can lead to the leakage of information stored in the EC-CUBE system. If exploited, customer information held in the EC-CUBE system may be disclosed to a malicious attacker.

Given the high potential impact of the vulnerability and the wide use of EC-CUBE in Japan, IPA has issued the security alert on this vulnerability to raise awareness of a number of website operators who may be affected.

For detailed information, refer to the following URL:
http://www.ec-cube.net/info/weakness/index.php (Japanese)

For the latest information, refer to the following URL:
http://jvndb.jvn.jp/jvndb/JVNDB-2009-000078

IPA and JPCERT Coordination Center (JPCERT/CC) received a report concerning this vulnerability directly from the product developer on November 27, 2009, in line with the Information Security Early Warning Partnership, and made the announcement public on December 7, 2009.

2.Impact

The customer information held in the EC-CUBE system may be disclosed to a malicious attacker.

Security Alert for Vulnerability in EC-CUBE

3.Solution

To fix this vulnerability, update to the fixed version or modify a system file following the instruction provided by the product developer.

4.CVSS Severity

(1)Evaluation Result

Severity Rating
(CVSS base score)
□ Low
(0.0~3.9)
■ Medium
(4.0~6.9)
□ High
(7.0~10.0)
CVSS base score   5.0  

(2) Base Score Metrics

AV:Access Vector □ Local □ Adjacent
 Network
■ Network
AC:Access Complexity □ High □ Medium ■ Low
Au:Authentication □ Multiple □ Single ■ None
C:Confidentiality Impact □ None ■ Partial □ Complete
I:Integrity Impact ■ None □ Partial □ Complete
A:Availability Impact ■ None □ Partial □ Complete

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as “Information Leak (Information Disclosure) (CWE-200)”.

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: