CVE-2023-46845

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-46845
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-46845.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-46845
Published
2023-11-07T08:15:24Z
Modified
2025-01-08T09:42:16.966899Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.

References

Affected packages

Git / github.com/ec-cube/ec-cube

Affected ranges

Type
GIT
Repo
https://github.com/ec-cube/ec-cube
Events

Affected versions

4.*

4.2.0
4.2.1
4.2.1-20230116
4.2.2
4.2.2-20230606
4.2.2-20230616
4.2.3-20231002
4.2.3-20231023

co/4.*

co/4.2-20221006
co/4.2-20221013
co/4.2-20221020
co/4.2-20221027
co/4.2-20221215
co/4.2-20230119
co/4.2-20230216
co/4.2-20230222
co/4.2-20230511
co/4.2-20230608
co/4.2-20230921
co/4.2-20231005
co/4.2-20231026