PT-2023-30241 · Twig+1 · Twig+1
三浦 剛
·
Publicado
2023-11-07
·
Atualizado
2023-11-15
·
CVE-2023-46845
CVSS v3.1
7.2
Alta
| Vetor | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
EC-CUBE versions 3.0.0 through 3.0.18-p6
EC-CUBE versions 4.0.0 through 4.0.6-p3
EC-CUBE versions 4.1.0 through 4.1.2-p2
EC-CUBE versions 4.2.0 through 4.2.2
Description
The issue is due to improper settings of the
template engine Twig included in the product, allowing arbitrary code execution on the server where the product is running by a user with administrative privilege.Recommendations
For versions 3.0.0 through 3.0.18-p6, update the template engine settings to prevent arbitrary code execution.
For versions 4.0.0 through 4.0.6-p3, update the template engine settings to prevent arbitrary code execution.
For versions 4.1.0 through 4.1.2-p2, update the template engine settings to prevent arbitrary code execution.
For versions 4.2.0 through 4.2.2, update the template engine settings to prevent arbitrary code execution.
Exploit
Correção
Code Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Ec-Cube
Twig