GCVE - cpe:2.3:a:ec-cube:ec-cube:4.0.6:p2:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:ec-cube:ec-cube:4.0.6:p2:*:*:*:*:*:*

part: a version: 4.0.6 update: p2

Vendor	Ec Cube (`5677c0e6-0154-50a5-b443-40e157e92c1a`)
Product	Ec Cube (`9b322bbb-ef9e-5ff2-8b04-e200594426c4`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:github/ec-cube/ec-cube`	purl2cpe	2026-06-01 10:15:46.284243

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2023-46845`	vulnerable	2026-06-03 14:53:16.617652	Details available EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege. Published: 2023-11-07T07:39:57.896Z Updated: 2024-09-04T20:28:15.713Z Open on db.gcve.eu Reference links https://www.ec-cube.net/info/weakness/20231026/index_40.php https://www.ec-cube.net/info/weakness/20231026/index.php https://www.ec-cube.net/info/weakness/20231026/index_3.php https://jvn.jp/en/jp/JVN29195731/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-25077`	vulnerable	2026-06-03 14:49:32.228598	Details available Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script. Published: 2023-03-05T00:00:00.000Z Updated: 2025-03-06T15:59:31.592Z Open on db.gcve.eu Reference links https://www.ec-cube.net/info/weakness/20230214/ https://jvn.jp/en/jp/JVN04785663/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-22838`	vulnerable	2026-06-03 14:49:20.315858	Details available Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script. Published: 2023-03-05T00:00:00.000Z Updated: 2025-03-06T16:02:05.314Z Open on db.gcve.eu Reference links https://www.ec-cube.net/info/weakness/20230214/ https://jvn.jp/en/jp/JVN04785663/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-22438`	vulnerable	2026-06-03 14:49:19.066980	Details available Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script. Published: 2023-03-05T00:00:00.000Z Updated: 2025-03-07T21:47:56.848Z Open on db.gcve.eu Reference links https://www.ec-cube.net/info/weakness/20230214/ https://www.ec-cube.net/info/weakness/20230214/index_3.php https://www.ec-cube.net/info/weakness/20230214/index_2.php https://jvn.jp/en/jp/JVN04785663/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.