Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in EC-CUBE


IT Security

IPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in EC-CUBE

Published: Oct 14, 2011

Information-technology Promotion Agency, Japan (IPA, Chairman Kazumasa Fujie) has issued a security alert concerning security vulnerability in EC-CUBE on October 14, 2011. To fix this vulnerability, update the software to the fixed version provided by the product developer.


EC-CUBE from LOCKON CO. LTD. is an open source software for creating online shopping websites. EC-CUBE is vulnerable to SQL Injection due to a flaw in the database processing. If exploited, the vulnerability could allow an attacker to obtain personal information stored in the EC-CUBE database.

Get the fixed version at the following URL and update the software. (Japanese)
For the latest information, refer to the following URL:

In line with the Information Security Early Warning Partnership, the IPA received a report concerning this vulnerability through the creditee below, and the JPCERT Coordination Center (JPCERT/CC) made adjustments to clarify the matter with the product developer and made it public on October 14, 2011.

Credit: Nobuhisa Tsukada Seasoft (Reported: September 2, 2011)


An attacker could manipulate the EC-CUBE database and obtain personal information.

Security Alert for Vulnerability in Ichitaro Series


To fix this vulnerability, update the software to the fixed version provided by the product developer.

4.CVSS Severity

(1)Evaluation Result

Severity Rating
(CVSS base score)
□ Low
□ High
CVSS base score  

(2) Base Score Metrics

AV:Access Vector □ Local □ Adjacent
■ Network
AC:Access Complexity □ High □ Medium ■ Low
Au:Authentication □ Multiple □ Single ■ None
C:Confidentiality Impact □ None ■ Partial □ Complete
I:Integrity Impact ■ None □ Partial □ Complete
A:Availability Impact ■ None □ Partial □ Complete

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as "SQL Injection (CWE-89)".


IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)