CVE-2022-37346

Name of the Vulnerable Software and Affected Versions EC-CUBE plugin 'Product Image Bulk Upload Plugin' versions 1.0.0 through 4.1.0

Description The issue is related to an insufficient verification vulnerability when uploading files. This allows a remote unauthenticated attacker to upload arbitrary files other than image files. If a user with administrative privilege is led to upload a specially crafted file, an arbitrary script may be executed on the system.

Recommendations For versions 1.0.0 and 4.1.0, consider disabling the file upload functionality until a patch is available to prevent exploitation. Restrict access to the plugin's upload feature to minimize the risk of arbitrary script execution. Avoid using the plugin for uploading files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.