CVE-2013-3651

LOCKON EC-CUBE 2.11.2-2.12.4 - Remote PHP Code Injection via Crafted String

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-3651. PoCs published by motikan2010.

AI-analyzed exploit summary This PoC exploits a command injection vulnerability in EC-CUBE 2 by injecting a system command via the 'name01' parameter in the password reset functionality. It checks for the presence of the injected command output to confirm vulnerability.

Description

LOCKON EC-CUBE 2.11.2 through 2.12.4 allows remote attackers to conduct unspecified PHP code-injection attacks via a crafted string, related to data/class/SC_CheckError.php and data/class/SC_FormParam.php.

Exploits (1)

nomisec WORKING POC 2 stars
by motikan2010 · poc
https://github.com/motikan2010/CVE-2013-3651

This PoC exploits a command injection vulnerability in EC-CUBE 2 by injecting a system command via the 'name01' parameter in the password reset functionality. It checks for the presence of the injected command output to confirm vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: EC-CUBE 2
No auth needed
Prerequisites: Target URL with EC-CUBE 2 installation
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Various Sources x_refsource_confirm
http://www.ec-cube.net/info/weakness/20130626/index.php
Vendor Advisory x_refsource_confirm
http://svn.ec-cube.net/open_trac/changeset/22891
Vendor Advisory x_refsource_confirm
http://www.ec-cube.net/info/weakness/weakness.php?id=49
Third Party Advisory third-party-advisory x_refsource_jvn
http://jvn.jp/en/jp/JVN34900750/index.html
Third Party Advisory third-party-advisory x_refsource_jvndb
http://jvndb.jvn.jp/jvndb/JVNDB-2013-000062

Scores

EPSS 0.0428
EPSS Percentile 89.8%

Details

CWE
CWE-94
Status published
Products (9)
lockon/ec-cube 2.11.2
lockon/ec-cube 2.11.3
lockon/ec-cube 2.11.4
lockon/ec-cube 2.11.5
lockon/ec-cube 2.12.0
lockon/ec-cube 2.12.1
lockon/ec-cube 2.12.2
lockon/ec-cube 2.12.3
lockon/ec-cube 2.12.4
Published Jun 30, 2013
Tracked Since Feb 18, 2026