#VU94846 Acceptance of Extraneous Untrusted Data With Trusted Data in EC-CUBE - CVE-2024-41924

Cybersecurity Help s.r.o.

Published: 2024-07-30

Vulnerability identifier: #VU94846

Vulnerability risk: Low

CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-41924

CWE-ID: CWE-349

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
EC-CUBE
Web applications / E-Commerce systems

Vendor: ec-cube.net

Description

The vulnerability allows a remote user to compromise the target system.

The vulnerability exists due to the affected product improperly validates inputs when installing plugins. A remote administrator can install an arbitrary PHP package on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

EC-CUBE: 4.0 beta - 4.2.3

External links
https://jvn.jp/en/jp/JVN48324254/index.html
https://www.ec-cube.net/info/weakness/20240701/index.php

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Acceptance of Extraneous Untrusted Data With Trusted Data in EC-CUBE