Skip to content

s-index/CVE-2021-20717

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 

Repository files navigation

CVE-2021-20717-EC-CUBE-XSS

NVD Description

Cross-site scripting vulnerability in EC-CUBE 4.0.0 to 4.0.5 allows a remote attacker to inject a specially crafted script in the specific input field of the EC web site which is created using EC-CUBE. As a result, it may lead to an arbitrary script execution on the administrator's web browser.

Set Up

  1. Clone EC Cube
git clone https://github.com/EC-CUBE/ec-cube.git -b 4.0.5
  1. Docker Build
docker build -t eccube4-php-apache .
  1. Docker Run
docker run --name ec-cube -p "8080:80" -p "4430:443" eccube4-php-apache

Reproduce

User

https://localhost:8080

  1. Add to Cart & Proceed to Checkout

  2. Inject Script to Inquiry Form

Inject Script to Inquiry Form

  1. Complete Purchase

Admin

https://localhost:8080/admin/login

  1. Login admin:password

  2. Open Order List Page

  3. Click (Malicious) Order

  4. Click Create Mail Button

  5. Select Template

  6. Click Confirm Mail Button

Click Confirm Mail Button

Fixed Commit

https://github.com/EC-CUBE/ec-cube/commit/9bae20f070acfe0b84451bc1e082c699ac197faf

About

CVE-2021-20717-EC-CUBE-XSS

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published