CVE-2022-25355

MEDIUM

EC-CUBE <4.1.1 - Info Disclosure

Title source: llm

Description

EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users.

References (2)

[Mitigation, Vendor Advisory] https://www.ec-cube.net/info/weakness/20220221/

[Third Party Advisory] https://jvn.jp/en/jp/JVN53871926/index.html

Scores

CVSS v3 5.3

EPSS 0.0106

EPSS Percentile 77.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-913

Status published

Products (3)

ec-cube/ec-cube 3.0.18 (4 CPE variants)

ec-cube/ec-cube 3.0.0Packagist

ec-cube/ec-cube 3.0.0 - 3.0.18

Published Feb 24, 2022

Tracked Since Feb 18, 2026