Vulnerability Details : CVE-2021-20735
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to inject an arbitrary script by executing a specific operation on the management page of EC-CUBE.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2021-20735
- cpe:2.3:a:ec-cube:delivery_slip_number:*:*:*:*:*:ec-cube:*:*
- Ec-cube » Delivery Slip Number Csv Bulk Registration » For Ec-cubeVersions up to, including, (<=) 1.0.8cpe:2.3:a:ec-cube:delivery_slip_number_csv_bulk_registration:*:*:*:*:*:ec-cube:*:*
- cpe:2.3:a:ec-cube:delivery_slip_number_mail:*:*:*:*:*:ec-cube:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-20735
0.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 54 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-20735
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2021-20735
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-20735
-
https://jvn.jp/en/jp/JVN79254445/index.html
JVN#79254445: Multiple ETUNA EC-CUBE plugins vulnerable to cross-site scriptingThird Party Advisory
-
https://www.ec-cube.net/release/detail.php?release_id=5087
配送伝票番号csv一括登録プラグイン(3.0系)における脆弱性発覚と対応のお願い | EC-CUBEVendor Advisory
-
https://www.ec-cube.net/release/detail.php?release_id=5089
配送伝票番号メールプラグイン(3.0系)における脆弱性発覚と対応のお願い | EC-CUBEVendor Advisory
-
https://www.ec-cube.net/release/detail.php?release_id=5088
配送伝票番号プラグイン(3.0系)における脆弱性発覚と対応のお願い | EC-CUBEVendor Advisory
Jump to