CVE-2024-41924
Published:July 30, 2024
Updated:May 27, 2026
Acceptance of extraneous untrusted data with trusted data vulnerability exists in EC-CUBE 4 series. If this vulnerability is exploited, an attacker who obtained the administrative privilege may install an arbitrary PHP package. If the obsolete versions of PHP packages are installed, the product may be affected by some known vulnerabilities.
Affected Packages
ec-cube/ec-cube (PHP):
Affected version(s) =dev-dependabot/npm_and_yarn/zap/selenium/ci/TypeScript/minimist-1.2.6 <eccube-1.3.0-betaFix Suggestion:
Update to version eccube-1.3.0-betaec-cube/ec-cube (PHP):
Affected version(s) =dev-dependabot/npm_and_yarn/ini-1.3.7 <eccube-1.4.0-beta-devFix Suggestion:
Update to version eccube-1.4.0-beta-devec-cube/ec-cube (PHP):
Affected version(s) =dev-dependabot/npm_and_yarn/zap/selenium/ci/TypeScript/word-wrap-1.2.5 <dev-dependabot/npm_and_yarn/minimist-1.2.6Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/minimist-1.2.6ec-cube/ec-cube (PHP):
Affected version(s) >=dev-co/4.2 <dev-release/4.2.0Fix Suggestion:
Update to version dev-release/4.2.0ec-cube/ec-cube (PHP):
Affected version(s) >=4.3.0-alpha <4.3.0Fix Suggestion:
Update to version 4.3.0ec-cube/ec-cube (PHP):
Affected version(s) >=dev-dependabot/composer/vlucas/phpdotenv-5.6.0 <dev-dependabot/npm_and_yarn/terser-5.15.0Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/terser-5.15.0ec-cube/ec-cube (PHP):
Affected version(s) >=4.1.1 <4.1.2-p4Fix Suggestion:
Update to version 4.1.2-p4ec-cube/ec-cube (PHP):
Affected version(s) =dev-dependabot/composer/composer/ca-bundle-1.5.0 <dev-dependabot/composer/composer/ca-bundle-1.5.5Fix Suggestion:
Update to version dev-dependabot/composer/composer/ca-bundle-1.5.5ec-cube/ec-cube (PHP):
Affected version(s) >=dev-dependabot/npm_and_yarn/normalize.css-8.0.1 <dev-fix-csv-time-idFix Suggestion:
Update to version dev-fix-csv-time-idec-cube/ec-cube (PHP):
Affected version(s) =4.1-beta3 <dev-4.1-beta3Fix Suggestion:
Update to version dev-4.1-beta3ec-cube/ec-cube (PHP):
Affected version(s) >=dev-dependabot/composer/composer/composer-2.6.4 <eccube-2.11.0-betaFix Suggestion:
Update to version eccube-2.11.0-betaec-cube/ec-cube (PHP):
Affected version(s) =dev-dependabot/composer/composer/composer-2.1.9 <eccube-2.2.0-betaFix Suggestion:
Update to version eccube-2.2.0-betaec-cube/ec-cube (PHP):
Affected version(s) >=dev-dependabot/npm_and_yarn/multi-a9f852c250 <dev-dependabot/npm_and_yarn/zap/selenium/ci/TypeScript/tmpl-1.0.5Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/zap/selenium/ci/TypeScript/tmpl-1.0.5ec-cube/ec-cube (PHP):
Affected version(s) >=dev-dependabot/npm_and_yarn/browserslist-4.16.6 <dev-dependabot/composer/exercise/htmlpurifier-bundle-5.0Fix Suggestion:
Update to version dev-dependabot/composer/exercise/htmlpurifier-bundle-5.0ec-cube/ec-cube (PHP):
Affected version(s) >=4.0.3 <4.0.6-p5Fix Suggestion:
Update to version 4.0.6-p5ec-cube/ec-cube (PHP):
Affected version(s) >=dev-dependabot/composer/tecnickcom/tcpdf-6.7.4 <dev-dependabot/composer/tecnickcom/tcpdf-6.7.7Fix Suggestion:
Update to version dev-dependabot/composer/tecnickcom/tcpdf-6.7.7ec-cube/ec-cube (PHP):
Affected version(s) =4.1.0 <dev-4.1.0-checkFix Suggestion:
Update to version dev-4.1.0-checkec-cube/ec-cube (PHP):
Affected version(s) >=dev-dependabot/github_actions/actions/cache-4 <dev-dependabot/npm_and_yarn/multi-82ad408bf4Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/multi-82ad408bf4ec-cube/ec-cube (PHP):
Affected version(s) =dev-dependabot/npm_and_yarn/zap/selenium/ci/TypeScript/ip-1.1.9 <eccube-1.2.0-betaFix Suggestion:
Update to version eccube-1.2.0-betaec-cube/ec-cube (PHP):
Affected version(s) =dev-dependabot/composer/twig/twig-2.14.11 <dev-dependabot/composer/twig/twig-2.15.3Fix Suggestion:
Update to version dev-dependabot/composer/twig/twig-2.15.3ec-cube/ec-cube (PHP):
Affected version(s) =dev-4.3-symfony6 <dev-co/4.3Fix Suggestion:
Update to version dev-co/4.3ec-cube/ec-cube (PHP):
Affected version(s) >=dev-dependabot/composer/symfony/form-6.4.7 <dev-dependabot/composer/symfony/security-bundle-6.4.10Fix Suggestion:
Update to version dev-dependabot/composer/symfony/security-bundle-6.4.10ec-cube/ec-cube (PHP):
Affected version(s) =4.0.0 <4.0.x-devFix Suggestion:
Update to version 4.0.x-devec-cube/ec-cube (PHP):
Affected version(s) =dev-dependabot/npm_and_yarn/y18n-3.2.2 <dev-dependabot/composer/symfony/polyfill-php73-1.30.0Fix Suggestion:
Update to version dev-dependabot/composer/symfony/polyfill-php73-1.30.0ec-cube/ec-cube (PHP):
Affected version(s) =dev-dependabot/composer/doctrine/instantiator-2.0.0 <version-2Fix Suggestion:
Update to version version-2ec-cube/ec-cube (PHP):
Affected version(s) >=dev-dependabot/github_actions/docker/login-action-3 <3.0.1Fix Suggestion:
Update to version 3.0.1ec-cube/ec-cube (PHP):
Affected version(s) >=dev-pick-for-4.0 <4.0.2Fix Suggestion:
Update to version 4.0.2ec-cube/ec-cube (PHP):
Affected version(s) >=dev-dependabot/composer/nesbot/carbon-3.4.0 <dev-dependabot/composer/doctrine/common-3.4.5Fix Suggestion:
Update to version dev-dependabot/composer/doctrine/common-3.4.5ec-cube/ec-cube (PHP):
Affected version(s) =dev-test <dev-update-composerFix Suggestion:
Update to version dev-update-composerec-cube/ec-cube (PHP):
Affected version(s) =dev-4.0.6-p1 <dev-4.0.6-p2Fix Suggestion:
Update to version dev-4.0.6-p2ec-cube/ec-cube (PHP):
Affected version(s) =dev-dependabot/npm_and_yarn/zap/selenium/ci/TypeScript/braces-3.0.3 <3.0.4Fix Suggestion:
Update to version 3.0.4ec-cube/ec-cube (PHP):
Affected version(s) =4.3.x-dev <dev-4.3-privateFix Suggestion:
Update to version dev-4.3-privateec-cube/ec-cube (PHP):
Affected version(s) =dev-dependabot/npm_and_yarn/webpack-5.76.0 <dev-dependabot/npm_and_yarn/webpack-5.94.0Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/webpack-5.94.0ec-cube/ec-cube (PHP):
Affected version(s) >=dev-dependabot/github_actions/docker/build-push-action-5 <dev-dependabot/npm_and_yarn/zap/selenium/ci/TypeScript/ansi-regex-5.0.1Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/zap/selenium/ci/TypeScript/ansi-regex-5.0.1ec-cube/ec-cube (PHP):
Affected version(s) =dev-maintenance/4.0 <dev-maintenance/4.0-privateFix Suggestion:
Update to version dev-maintenance/4.0-privateec-cube/ec-cube (PHP):
Affected version(s) >=dev-fix/admin_product_product_class_sort <dev-improve/csv-splitFix Suggestion:
Update to version dev-improve/csv-splitec-cube/ec-cube (PHP):
Affected version(s) >=dev-co/4.1 <dev-maintenance/4.1-privateFix Suggestion:
Update to version dev-maintenance/4.1-privateec-cube/ec-cube (PHP):
Affected version(s) >=4.2.2 <4.2.3-p1Fix Suggestion:
Update to version 4.2.3-p1ec-cube/ec-cube (PHP):
Affected version(s) >=dev-dependabot/composer/guzzlehttp/guzzle-6.5.7 <dev-dependabot/composer/knplabs/knp-paginator-bundle-6.6.1Fix Suggestion:
Update to version dev-dependabot/composer/knplabs/knp-paginator-bundle-6.6.1ec-cube/ec-cube (PHP):
Affected version(s) >=4.2.0-beta2-20220916 <4.2.x-devFix Suggestion:
Update to version 4.2.x-devec-cube/ec-cube (PHP):
Affected version(s) >=dev-refine-kenshi/feature/class_csv <dev-revert-5391-issue/5279Fix Suggestion:
Update to version dev-revert-5391-issue/5279ec-cube/ec-cube (PHP):
Affected version(s) >=dev-dependabot/npm_and_yarn/sass-1.77.1 <dev-dependabot/npm_and_yarn/sass-1.81.0Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/sass-1.81.0ec-cube/ec-cube (PHP):
Affected version(s) >=dev-dependabot/npm_and_yarn/axios-and-browser-sync--removed <dev-dependabot/npm_and_yarn/engine.io-and-browser-sync-6.2.0Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/engine.io-and-browser-sync-6.2.0ec-cube/ec-cube (PHP):
Affected version(s) >=dev-dependabot/composer/sebastian/global-state-5.0.7 <dev-dependabot/composer/nikic/php-parser-5.3.1Fix Suggestion:
Update to version dev-dependabot/composer/nikic/php-parser-5.3.1ec-cube/ec-cube (PHP):
Affected version(s) =dev-dependabot/composer/twig/extra-bundle-3.10.0 <dev-dependabot/composer/twig/extra-bundle-3.11.0Fix Suggestion:
Update to version dev-dependabot/composer/twig/extra-bundle-3.11.0ec-cube/ec-cube (PHP):
Affected version(s) =dev-dependabot/composer/robthree/twofactorauth-2.1.0 <eccube-2.1.2Fix Suggestion:
Update to version eccube-2.1.2ec-cube/ec-cube (PHP):
Affected version(s) =dev-improve/edit-id <dev-modify-e2e/EA07Fix Suggestion:
Update to version dev-modify-e2e/EA07ec-cube/ec-cube (PHP):
Affected version(s) >=dev-dependabot/composer/symfony/security-3.4.48 <dev-dependabot/composer/nesbot/carbon-3.8.2Fix Suggestion:
Update to version dev-dependabot/composer/nesbot/carbon-3.8.2ec-cube/ec-cube (PHP):
Affected version(s) =dev-dependabot/composer/composer/composer-1.10.22 <dev-dependabot/composer/seld/jsonlint-1.11.0Fix Suggestion:
Update to version dev-dependabot/composer/seld/jsonlint-1.11.0ec-cube/ec-cube (PHP):
Affected version(s) >=dev-dependabot/github_actions/docker/build-push-action-6 <dev-dependabot/composer/knplabs/knp-paginator-bundle-6.4.0Fix Suggestion:
Update to version dev-dependabot/composer/knplabs/knp-paginator-bundle-6.4.0Related Resources (2)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.6
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.2
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Acceptance of Extraneous Untrusted Data With Trusted Data
EPSS
Base Score:
0.14