Summaryinfo

A vulnerability, which was classified as critical, was found in EC-CUBE up to 3.0.18-p4/4.1.2. This affects an unknown part. The manipulation leads to pathname traversal. This vulnerability is uniquely identified as CVE-2022-40199. It is possible to initiate the attack remotely. There is no exploit available. If you want to get best quality of vulnerability data, you may have to visit VulDB.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in EC-CUBE up to 3.0.18-p4/4.1.2 (E-Commerce Management Software). Affected by this issue is an unknown code block. The manipulation with an unknown input leads to a pathname traversal vulnerability. Using CWE to declare the problem leads to CWE-21. Impacted is confidentiality. CVE summarizes:

Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product's directory structure information.

The weakness was presented 09/28/2022. The advisory is shared for download at jvn.jp. This vulnerability is handled as CVE-2022-40199 since 09/09/2022. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1006.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• E-Commerce Management Software

Name

• EC-CUBE

Version

• 3.0.18-p4
• 4.1.0
• 4.1.1
• 4.1.2

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion