CVE-2011-0451

Multiple cross-site scripting (XSS) vulnerabilities in (1) data/Smarty/templates/default/list.tpl and (2) data/Smarty/templates/default/campaign/bloc/cart_tag.tpl in EC-CUBE before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://jvn.jp/en/jp/JVN84393059/index.html
http://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000011.html
http://secunia.com/advisories/43153	Vendor Advisory
http://svn.ec-cube.net/open_trac/changeset/18742	Patch
http://www.ec-cube.net/info/weakness/weakness.php?id=36
http://www.securityfocus.com/bid/46100
https://exchange.xforce.ibmcloud.com/vulnerabilities/65079

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:lockon:ec-cube::::::::
	cpe:2.3:a:lockon:ec-cube:1.1.0:beta::::::
	cpe:2.3:a:lockon:ec-cube:1.1.1:::::::*
	cpe:2.3:a:lockon:ec-cube:1.2.0:beta::::::
	cpe:2.3:a:lockon:ec-cube:1.3.0:::::::*
	cpe:2.3:a:lockon:ec-cube:1.3.0:beta::::::
	cpe:2.3:a:lockon:ec-cube:1.3.1:::::::*
	cpe:2.3:a:lockon:ec-cube:1.3.1:a::::::
	cpe:2.3:a:lockon:ec-cube:1.3.2:::::::*
	cpe:2.3:a:lockon:ec-cube:1.3.3:::::::*
	cpe:2.3:a:lockon:ec-cube:1.3.4:::::::*
	cpe:2.3:a:lockon:ec-cube:1.3.4:community::::::
	cpe:2.3:a:lockon:ec-cube:1.4.0:a-beta::::::
	cpe:2.3:a:lockon:ec-cube:1.4.0:beta::::::
	cpe:2.3:a:lockon:ec-cube:1.4.1:beta::::::
	cpe:2.3:a:lockon:ec-cube:1.4.2:beta::::::
	cpe:2.3:a:lockon:ec-cube:1.4.3:a-beta::::::
	cpe:2.3:a:lockon:ec-cube:1.4.3:b-beta::::::
	cpe:2.3:a:lockon:ec-cube:1.4.3:beta::::::
	cpe:2.3:a:lockon:ec-cube:1.4.5:::::::*
	cpe:2.3:a:lockon:ec-cube:1.4.6:::::::*
	cpe:2.3:a:lockon:ec-cube:1.4.7:::::::*
	cpe:2.3:a:lockon:ec-cube:1.5.0:beta::::::
	cpe:2.3:a:lockon:ec-cube:2.0.0:beta::::::
	cpe:2.3:a:lockon:ec-cube:2.0.1:::::::*
	cpe:2.3:a:lockon:ec-cube:2.0.1:a::::::
	cpe:2.3:a:lockon:ec-cube:2.1.0:beta::::::
	cpe:2.3:a:lockon:ec-cube:2.1.2:::::::*
	cpe:2.3:a:lockon:ec-cube:2.1.2:a::::::
	cpe:2.3:a:lockon:ec-cube:2.2.0:beta::::::
	cpe:2.3:a:lockon:ec-cube:2.2.1:one::::::
	cpe:2.3:a:lockon:ec-cube:2.3.0:::::::*
	cpe:2.3:a:lockon:ec-cube:2.3.0:rc1::::::
	cpe:2.3:a:lockon:ec-cube:2.3.1:::::::*
	cpe:2.3:a:lockon:ec-cube:2.3.3:::::::*
	cpe:2.3:a:lockon:ec-cube:2.3.4:::::::*
	cpe:2.3:a:lockon:ec-cube:2.4.0:::::::*
	cpe:2.3:a:lockon:ec-cube:2.4.0:rc1::::::
	cpe:2.3:a:lockon:ec-cube:2.4.1:::::::*
	cpe:2.3:a:lockon:ec-cube:2.4.2:::::::*
	cpe:2.3:a:lockon:ec-cube:2.4.4:::::::*
	cpe:2.3:a:lockon:ec-cube:2.11.0:beta::::::

History

No history.

Information

Published : 2011-02-03 16:00

Updated : 2017-08-17 01:33

NVD link : CVE-2011-0451

Mitre link : CVE-2011-0451

CVE.ORG link : CVE-2011-0451

JSON object : View

Products Affected

lockon

ec-cube

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.3 /10