CVE-2018-0657

Published Sep 7, 2018

Last updated 6 years ago

CVSS medium 4.8

Overview

Description: Cross-site scripting vulnerability in EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE (EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, and GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier) allow an attacker with administrator rights to inject arbitrary web script or HTML via unspecified vectors.
Source: vultures@jpcert.or.jp
NVD status: Analyzed

Risk scores

CVSS 3.0

Type: Primary
Base score: 4.8
Impact score: 2.7
Exploitability score: 1.7
Vector string: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM

CVSS 2.0

Type: Primary
Base score: 3.5
Impact score: 2.9
Exploitability score: 6.8
Vector string: AV:N/AC:M/Au:S/C:N/I:P/A:N

Weaknesses

nvd@nist.gov: CWE-79

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:ec-cube:ec-cube:2.11:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "FA0DA371-7B35-4019-A67F-75F8CE0B691C"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:ec-cube:ec-cube_payment_module:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7BD26589-55F6-4932-8C5E-9BEE82D41373",
            "versionEndIncluding": "2.3.17"
          },
          {
            "criteria": "cpe:2.3:a:gmo-pg:gmo-pg_payment_module:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F47C5446-2A83-43CF-9AB5-EBBFBB4BAC9A",
            "versionEndIncluding": "2.3.17"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:ec-cube:ec-cube:2.12:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "E1B9AF05-5211-47EB-B448-00709CFDFEDE"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:ec-cube:ec-cube_payment_module:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CF34BE6C-9913-4277-AAF8-30FDCE8129AE",
            "versionEndIncluding": "3.5.23"
          },
          {
            "criteria": "cpe:2.3:a:gmo-pg:gmo-pg_payment_module:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D634F5CB-877B-43AB-9C57-E54C87164568",
            "versionEndIncluding": "3.5.23"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  }
]

Overview

Risk scores

CVSS 3.0

CVSS 2.0

Weaknesses

Social media

Configurations

References