CVE-2018-0658 - OpenCVE

Input validation issue in EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier allows an attacker with administrative rights to execute arbitrary PHP code on the server via unspecified vectors.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Gmo-pg	Gmo-pg Payment Module
Ec-cube	Ec-cube Payment Module Ec-cube

Configuration 1 [-]

AND

OR	cpe:2.3:a:ec-cube:ec-cube_payment_module::::::::
	cpe:2.3:a:gmo-pg:gmo-pg_payment_module::::::::

cpe:2.3:a:ec-cube:ec-cube:2.11:*:*:*:*:*:*:*

Configuration 2 [-]

AND

OR	cpe:2.3:a:ec-cube:ec-cube_payment_module::::::::
	cpe:2.3:a:gmo-pg:gmo-pg_payment_module::::::::

cpe:2.3:a:ec-cube:ec-cube:2.12:*:*:*:*:*:*:*

References

Link	Resource
http://jvn.jp/en/jp/JVN06372244/index.html	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jpcert

Published: 2018-09-07T14:00:00

Updated: 2018-09-07T13:57:01

Reserved: 2017-11-27T00:00:00

Link: CVE-2018-0658

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-09-07T14:29:02.633

Modified: 2018-11-20T20:41:32.440

Link: CVE-2018-0658

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE", "vendor": "GMO Payment Gateway, Inc.", "versions": [{"status": "affected", "version": "(EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, and GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier)"}]}], "datePublic": "2018-08-09T00:00:00", "descriptions": [{"lang": "en", "value": "Input validation issue in EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier allows an attacker with administrative rights to execute arbitrary PHP code on the server via unspecified vectors."}], "problemTypes": [{"descriptions": [{"description": "Improper Input Validation", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-09-07T13:57:01", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert"}, "references": [{"name": "JVN#06372244", "tags": ["third-party-advisory", "x_refsource_JVN"], "url": "http://jvn.jp/en/jp/JVN06372244/index.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2018-0658", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE", "version": {"version_data": [{"version_value": "(EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, and GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier)"}]}}]}, "vendor_name": "GMO Payment Gateway, Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Input validation issue in EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier allows an attacker with administrative rights to execute arbitrary PHP code on the server via unspecified vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "JVN#06372244", "refsource": "JVN", "url": "http://jvn.jp/en/jp/JVN06372244/index.html"}]}}}}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2018-0658", "datePublished": "2018-09-07T14:00:00", "dateReserved": "2017-11-27T00:00:00", "dateUpdated": "2018-09-07T13:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ec-cube:ec-cube_payment_module:*:*:*:*:*:*:*:*", "matchCriteriaId": "7BD26589-55F6-4932-8C5E-9BEE82D41373", "versionEndIncluding": "2.3.17", "vulnerable": true}, {"criteria": "cpe:2.3:a:gmo-pg:gmo-pg_payment_module:*:*:*:*:*:*:*:*", "matchCriteriaId": "F47C5446-2A83-43CF-9AB5-EBBFBB4BAC9A", "versionEndIncluding": "2.3.17", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:ec-cube:ec-cube:2.11:*:*:*:*:*:*:*", "matchCriteriaId": "FA0DA371-7B35-4019-A67F-75F8CE0B691C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ec-cube:ec-cube_payment_module:*:*:*:*:*:*:*:*", "matchCriteriaId": "CF34BE6C-9913-4277-AAF8-30FDCE8129AE", "versionEndIncluding": "3.5.23", "vulnerable": true}, {"criteria": "cpe:2.3:a:gmo-pg:gmo-pg_payment_module:*:*:*:*:*:*:*:*", "matchCriteriaId": "D634F5CB-877B-43AB-9C57-E54C87164568", "versionEndIncluding": "3.5.23", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:ec-cube:ec-cube:2.12:*:*:*:*:*:*:*", "matchCriteriaId": "E1B9AF05-5211-47EB-B448-00709CFDFEDE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Input validation issue in EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier allows an attacker with administrative rights to execute arbitrary PHP code on the server via unspecified vectors."}, {"lang": "es", "value": "Problema de validaci\u00f3n de entradas en EC-CUBE Payment Module (2.12) en versiones 3.5.23 y anteriores, EC-CUBE Payment Module (2.11) en versiones 2.3.17 y anteriores, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) en versiones 3.5.23 y anteriores y GMO-PG Payment Module (PG Multi-Payment Service) (2.11) en versiones 2.3.17 y anteriores permite que un atacante con permisos de administrador ejecute c\u00f3digo PHP arbitrario en el servidor mediante vectores sin especificar."}], "id": "CVE-2018-0658", "lastModified": "2018-11-20T20:41:32.440", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-09-07T14:29:02.633", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "http://jvn.jp/en/jp/JVN06372244/index.html"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}