GCVE - cpe:2.3:a:ec-cube:ec-cube:4.2.0:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:ec-cube:ec-cube:4.2.0:*:*:*:*:*:*:*

part: a version: 4.2.0 update: *

Vendor	Ec Cube (`5677c0e6-0154-50a5-b443-40e157e92c1a`)
Product	Ec Cube (`9b322bbb-ef9e-5ff2-8b04-e200594426c4`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:github/ec-cube/ec-cube`	purl2cpe	2026-06-01 10:15:46.287832

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2024-41924`	vulnerable	2026-06-03 14:56:35.247951	Details available Acceptance of extraneous untrusted data with trusted data vulnerability exists in EC-CUBE 4 series. If this vulnerability is exploited, an attacker who obtained the administrative privilege may install an arbitrary PHP package. If the obsolete versions of PHP packages are installed, the product may be affected by some known vulnerabilities. Published: 2024-07-30T08:45:48.496Z Updated: 2025-03-18T18:30:25.776Z Open on db.gcve.eu Reference links https://www.ec-cube.net/info/weakness/20240701/index.php https://jvn.jp/en/jp/JVN48324254/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-25077`	vulnerable	2026-06-03 14:49:32.229622	Details available Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script. Published: 2023-03-05T00:00:00.000Z Updated: 2025-03-06T15:59:31.592Z Open on db.gcve.eu Reference links https://www.ec-cube.net/info/weakness/20230214/ https://jvn.jp/en/jp/JVN04785663/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-22838`	vulnerable	2026-06-03 14:49:20.315897	Details available Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script. Published: 2023-03-05T00:00:00.000Z Updated: 2025-03-06T16:02:05.314Z Open on db.gcve.eu Reference links https://www.ec-cube.net/info/weakness/20230214/ https://jvn.jp/en/jp/JVN04785663/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-22438`	vulnerable	2026-06-03 14:49:19.067996	Details available Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script. Published: 2023-03-05T00:00:00.000Z Updated: 2025-03-07T21:47:56.848Z Open on db.gcve.eu Reference links https://www.ec-cube.net/info/weakness/20230214/ https://www.ec-cube.net/info/weakness/20230214/index_3.php https://www.ec-cube.net/info/weakness/20230214/index_2.php https://jvn.jp/en/jp/JVN04785663/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.