CVE-2024-41924

Name of the Vulnerable Software and Affected Versions EC-CUBE versions 4 series

Description A vulnerability exists where the software accepts extraneous untrusted data alongside trusted data. If exploited, an attacker with administrative privileges may be able to install arbitrary PHP packages. This could potentially lead to the installation of obsolete PHP package versions, which may be affected by known vulnerabilities.

Recommendations For EC-CUBE version 4 series, ensure that only trusted data is accepted and validate all input to prevent the installation of arbitrary PHP packages. As a temporary workaround, consider restricting the installation of PHP packages to only those that are trusted and up-to-date.