CVE-2024-41141

Summary

Stored cross-site scripting vulnerability exists in EC-CUBE Web API Plugin. When there are multiple users using OAuth Management feature and one of them inputs some crafted value on the OAuth Management page, an arbitrary script may be executed on the web browser of the other user who accessed the management page.

Affected Software

VendorProductVersion RangeStatus
EC-CUBE CO.,LTD.EC-CUBE Web API Plugin1.0.0 and 2.1.0 to 2.1.3 (for EC-CUBE 4.0/4.1 series)affected
EC-CUBE CO.,LTD.EC-CUBE Web API Plugin (4.2 series)4.2.0 to 4.2.3 (for EC-CUBE 4.2 series)affected

Weaknesses

  • Cross-site scripting (XSS)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References