EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.
References
Link | Resource |
---|---|
https://jvn.jp/en/jp/JVN29195731/ | Third Party Advisory |
https://www.ec-cube.net/info/weakness/20231026/index.php | Exploit Patch Vendor Advisory |
https://www.ec-cube.net/info/weakness/20231026/index_3.php | Exploit Patch Vendor Advisory |
https://www.ec-cube.net/info/weakness/20231026/index_40.php | Exploit Patch Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: jpcert
Published: 2023-11-07T07:39:57.896Z
Updated: 2023-11-07T07:39:57.896Z
Reserved: 2023-10-27T08:05:25.926Z
Link: CVE-2023-46845
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-11-07T08:15:24.257
Modified: 2023-11-15T15:21:57.587
Link: CVE-2023-46845
JSON object: View
Redhat Information
No data.
CWE