GCVE - cpe:2.3:a:ec-cube_co.,ltd.:ec-cube_4_series:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:ec-cube_co.,ltd.:ec-cube_4_series:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Ec Cube Co.,Ltd. (`8b2f95c1-98af-5eac-94a4-13a78806ff7b`)
Product	Ec Cube 4 Series (`c48fd149-3230-50bc-8072-3204f3deec5c`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2024-41924`	vulnerable	2026-06-03 14:56:35.248522	Details available Acceptance of extraneous untrusted data with trusted data vulnerability exists in EC-CUBE 4 series. If this vulnerability is exploited, an attacker who obtained the administrative privilege may install an arbitrary PHP package. If the obsolete versions of PHP packages are installed, the product may be affected by some known vulnerabilities. Published: 2024-07-30T08:45:48.496Z Updated: 2025-03-18T18:30:25.776Z Open on db.gcve.eu Reference links https://www.ec-cube.net/info/weakness/20240701/index.php https://jvn.jp/en/jp/JVN48324254/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-46845`	vulnerable	2026-06-03 14:53:16.607856	Details available EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege. Published: 2023-11-07T07:39:57.896Z Updated: 2024-09-04T20:28:15.713Z Open on db.gcve.eu Reference links https://www.ec-cube.net/info/weakness/20231026/index_40.php https://www.ec-cube.net/info/weakness/20231026/index.php https://www.ec-cube.net/info/weakness/20231026/index_3.php https://jvn.jp/en/jp/JVN29195731/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-25077`	vulnerable	2026-06-03 14:49:32.226936	Details available Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script. Published: 2023-03-05T00:00:00.000Z Updated: 2025-03-06T15:59:31.592Z Open on db.gcve.eu Reference links https://www.ec-cube.net/info/weakness/20230214/ https://jvn.jp/en/jp/JVN04785663/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-22838`	vulnerable	2026-06-03 14:49:20.315759	Details available Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script. Published: 2023-03-05T00:00:00.000Z Updated: 2025-03-06T16:02:05.314Z Open on db.gcve.eu Reference links https://www.ec-cube.net/info/weakness/20230214/ https://jvn.jp/en/jp/JVN04785663/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-38975`	vulnerable	2026-06-03 14:47:50.647807	Details available DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page. Published: 2022-09-27T01:55:16.000Z Updated: 2025-05-21T18:24:22.908Z Open on db.gcve.eu Reference links https://www.ec-cube.net/info/weakness/20220909/ https://jvn.jp/en/jp/JVN21213852/index.html	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.