#VU42342 Information disclosure in EC-CUBE - CVE-2013-5995

Cybersecurity Help s.r.o.

Published: 2013-11-21 | Updated: 2020-08-10

Vulnerability identifier: #VU42342

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2013-5995

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
EC-CUBE
Web applications / E-Commerce systems

Vendor: ec-cube.net

Description

The vulnerability allows a remote #AU# to read and manipulate data.

data/class/helper/SC_Helper_Address.php in the front-features implementation in LOCKON EC-CUBE 2.12.3 through 2.13.0 allows remote authenticated users to obtain sensitive information via unspecified vectors related to addresses. Per: http://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000106.html "User's information may be obtained or altered by other user who visits the shopping site"

Mitigation
Install update from vendor's website.

Vulnerable software versions

EC-CUBE: 2.12.3en - 2.13.0

External links
https://jvn.jp/en/jp/JVN55630933/index.html
https://jvndb.jvn.jp/jvndb/JVNDB-2013-000106
https://svn.ec-cube.net/open_trac/changeset/23274
https://www.ec-cube.net/info/weakness/weakness.php?id=51

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in ec-cube.net EC-CUBE