SB2020120301 - Multiple vulnerabilities in EC-CUBE

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Restriction of Rendered UI Layers or Frames (CVE-ID: CVE-2020-5679)

The vulnerability allows a remote attacker to compromise the traget system.

The vulnerability exists due to the affected product is vulnerable to clickjacking. A remote attacker can trick a victim to visit a malicious page and conduct unintended operations.

2) Input validation error (CVE-ID: CVE-2020-5680)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://jvn.jp/en/jp/JVN24457594/index.html
• https://www.ec-cube.net/info/weakness/weakness.php?id=75
• https://www.ec-cube.net/info/weakness/weakness.php?id=76