PT-2013-3658 · Lockon · Ec-Cube
Gen Sato
·
Published
2013-05-29
·
Updated
2013-06-04
·
CVE-2013-2314
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
LOCKON EC-CUBE versions 2.11.0 through 2.12.3enP2
Description
A cross-site scripting (XSS) issue exists in the adminAuthorization function, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL associated with the management screen. This is related to the
adminAuthorization function in SC Helper Session.php.Recommendations
For versions 2.11.0 through 2.12.3enP2, as a temporary workaround, consider restricting access to the management screen until a patch is available. Avoid using crafted URLs that could exploit the XSS issue in the
adminAuthorization function.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ec-Cube