CVE-2018-0658

Published on: 09/07/2018 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:24:49 PM UTC

CVE-2018-0658

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Certain versions of Ec-cube from Ec-cube contain the following vulnerability:

Input validation issue in EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier allows an attacker with administrative rights to execute arbitrary PHP code on the server via unspecified vectors.

CVE-2018-0658 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.
Affected Vendor/Software: GMO Payment Gateway, Inc. - EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE version (EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, and GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier)

CVSS3 Score: 7.2 - HIGH

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
NETWORK	LOW	HIGH	NONE
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	HIGH	HIGH	HIGH

CVSS2 Score: 6.5 - MEDIUM

Access Vector^ⓘ	Access Complexity	Authentication
NETWORK	LOW	SINGLE
Confidentiality Impact	Integrity Impact	Availability Impact
PARTIAL	PARTIAL	PARTIAL

CVE References

Description	Tags ^ⓘ	Link
JVN#06372244: Multiple vulnerabilities in EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE	Third Party Advisory jvn.jp text/xml	JVN JVN#06372244

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

There are currently no QIDs associated with this CVE

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Ec-cube	Ec-cube	2.11	All	All	All
Application	Ec-cube	Ec-cube	2.12	All	All	All
Application	Ec-cube	Ec-cube	2.11	All	All	All
Application	Ec-cube	Ec-cube	2.12	All	All	All
Application	Ec-cube	Ec-cube Payment Module	All	All	All	All
Application	Ec-cube	Ec-cube Payment Module	All	All	All	All
Application	Gmo-pg	Gmo-pg Payment Module	All	All	All	All
Application	Gmo-pg	Gmo-pg Payment Module	All	All	All	All

cpe:2.3:a:ec-cube:ec-cube:2.11:*:*:*:*:*:*:*:
cpe:2.3:a:ec-cube:ec-cube:2.12:*:*:*:*:*:*:*:
cpe:2.3:a:ec-cube:ec-cube:2.11:*:*:*:*:*:*:*:
cpe:2.3:a:ec-cube:ec-cube:2.12:*:*:*:*:*:*:*:
cpe:2.3:a:ec-cube:ec-cube_payment_module:*:*:*:*:*:*:*:*:
cpe:2.3:a:ec-cube:ec-cube_payment_module:*:*:*:*:*:*:*:*:
cpe:2.3:a:gmo-pg:gmo-pg_payment_module:*:*:*:*:*:*:*:*:
cpe:2.3:a:gmo-pg:gmo-pg_payment_module:*:*:*:*:*:*:*:*:

No vendor comments have been submitted for this CVE