CVE-2014-0808

moderate-risk
Published 2014-01-22

Authorization bypass through user-controlled key issue exists in EC-CUBE 2.11.0 through 2.12.2 and EC-Orange systems deployed before June 29th, 2015. If this vulnerability is exploited, a user of the affected shopping website may obtain other users' information by sending a crafted HTTP request.

Do I need to act?

-
0.39% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10 Critical
NETWORK / LOW complexity

Affected Products (11)

Ec-Cube
Ec-Cube
Ec-Cube
Ec-Cube
Ec-Cube
Ec-Cube
Ec-Cube
Ec-Cube
Ec-Cube
Ec-Cube
Ec-Cube

Affected Vendors

Lockon

References (12)

http://jvn.jp/en/jp/JVN51770585/
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000006
Vendor Advisory http://www.ec-cube.net/info/weakness/weakness.php?id=57
https://ec-orange.jp/
https://jvn.jp/en/jp/JVN15637138/
https://jvndb.jvn.jp/jvndb/JVNDB-2024-000054
http://jvn.jp/en/jp/JVN51770585/
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000006
Vendor Advisory http://www.ec-cube.net/info/weakness/weakness.php?id=57
https://ec-orange.jp/
https://jvn.jp/en/jp/JVN15637138/
https://jvndb.jvn.jp/jvndb/JVNDB-2024-000054
48
/ 100
moderate-risk
Severity 31/34 · Critical
Exploitability 1/34 · Minimal
Exposure 16/34 · Moderate