PT-2023-30241 · Twig+1 · Twig+1
三浦 剛
·
Published
2023-11-07
·
Updated
2023-11-15
·
CVE-2023-46845
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
EC-CUBE versions 3.0.0 through 3.0.18-p6
EC-CUBE versions 4.0.0 through 4.0.6-p3
EC-CUBE versions 4.1.0 through 4.1.2-p2
EC-CUBE versions 4.2.0 through 4.2.2
Description
The issue is due to improper settings of the
template engine Twig included in the product, allowing arbitrary code execution on the server where the product is running by a user with administrative privilege.Recommendations
For versions 3.0.0 through 3.0.18-p6, update the template engine settings to prevent arbitrary code execution.
For versions 4.0.0 through 4.0.6-p3, update the template engine settings to prevent arbitrary code execution.
For versions 4.1.0 through 4.1.2-p2, update the template engine settings to prevent arbitrary code execution.
For versions 4.2.0 through 4.2.2, update the template engine settings to prevent arbitrary code execution.
Exploit
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ec-Cube
Twig