CVE-2022-37346

moderate-risk
Published 2022-09-27

EC-CUBE plugin 'Product Image Bulk Upload Plugin' 1.0.0 and 4.1.0 contains an insufficient verification vulnerability when uploading files. Exploiting this vulnerability allows a remote unauthenticated attacker to upload arbitrary files other than image files. If a user with an administrative privilege of EC-CUBE where the vulnerable plugin is installed is led to upload a specially crafted file, an arbitrary script may be executed on the system.

Do I need to act?

~
2.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Product Image Bulk Upload
Product Image Bulk Upload

Affected Vendors

Ec-Cube

References (4)

Third Party Advisory https://jvn.jp/en/jp/JVN30900552/index.html
Patch https://www.ec-cube.net/info/weakness/20220909/product_images_uploader.php
Third Party Advisory https://jvn.jp/en/jp/JVN30900552/index.html
Patch https://www.ec-cube.net/info/weakness/20220909/product_images_uploader.php
44
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 5/34 · Minimal
Exposure 7/34 · Low