CVE-2013-5993
medium
CVSS v3
—
CVSS v2
6.8
VIR risk
6.8
Description
Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE 2.11.0 through 2.13.0 allows remote attackers to hijack the authentication of arbitrary users via unspecified vectors related to refusals.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: vultures@jpcert.or.jp — http://www.ec-cube.net/info/weakness/weakness.php?id=53
Vendor advisory: vultures@jpcert.or.jp — http://svn.ec-cube.net/open_trac/changeset/23277
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| lockon | ec-cube | 2.11.0 | |
| lockon | ec-cube | 2.11.1 | |
| lockon | ec-cube | 2.11.2 | |
| lockon | ec-cube | 2.11.3 | |
| lockon | ec-cube | 2.11.4 | |
| lockon | ec-cube | 2.11.5 | |
| lockon | ec-cube | 2.12.0 | |
| lockon | ec-cube | 2.12.1 | |
| lockon | ec-cube | 2.12.2 | |
| lockon | ec-cube | 2.12.3 | |
| lockon | ec-cube | 2.12.3en | |
| lockon | ec-cube | 2.12.3enp1 | |
| lockon | ec-cube | 2.12.3enp2 | |
| lockon | ec-cube | 2.12.4en | |
| lockon | ec-cube | 2.12.5 | |
| lockon | ec-cube | 2.12.5en | |
| lockon | ec-cube | 2.12.6 | |
| lockon | ec-cube | 2.12.6en | |
| lockon | ec-cube | 2.13.0 | |
References
- http://jvn.jp/en/jp/JVN11221613/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2013-000097
- http://svn.ec-cube.net/open_trac/changeset/23277
- http://www.ec-cube.net/info/weakness/weakness.php?id=53
- http://jvn.jp/en/jp/JVN11221613/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2013-000097
- http://svn.ec-cube.net/open_trac/changeset/23277
- http://www.ec-cube.net/info/weakness/weakness.php?id=53
CWEs
CWE-352
Verify integrity in audit chain (admin only). AS-IS.