CVE-2013-5994 : data/class/pages/mypage/LC_Page_Mypage_DeliveryAddr.php in LOCKON EC-CUBE 2.11.2 through 2.13.0 allows remote attackers

data/class/pages/mypage/LC_Page_Mypage_DeliveryAddr.php in LOCKON EC-CUBE 2.11.2 through 2.13.0 allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message.

Published 2013-11-21 04:40:59

Updated 2013-11-21 14:35:32

Source JPCERT/CC

View at NVD, CVE.org

Vulnerability category: Information leak

Exploit prediction scoring system (EPSS) score for CVE-2013-5994

Probability of exploitation activity in the next 30 days: 0.33%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 68 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2013-5994

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2013-5994

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-5994

http://www.ec-cube.net/info/weakness/weakness.php?id=52

脆弱性 | ECサイト構築・リニューアルは「ECオープンプラットフォームEC-CUBE」
Exploit;Patch
http://jvndb.jvn.jp/jvndb/JVNDB-2013-000098

JVNDB-2013-000098 - JVN iPedia - 脆弱性対策情報データベース
http://svn.ec-cube.net/open_trac/changeset/23278

Changeset 23278 – EC-CUBE Trac
Exploit;Patch
http://jvn.jp/en/jp/JVN06870202/index.html

JVN#06870202: EC-CUBE information disclosure vulnerability

Products affected by CVE-2013-5994

Lockon » Ec-cube » Version: 2.11.2
cpe:2.3:a:lockon:ec-cube:2.11.2:*:*:*:*:*:*:*
Matching versions
Lockon » Ec-cube » Version: 2.11.3
cpe:2.3:a:lockon:ec-cube:2.11.3:*:*:*:*:*:*:*
Matching versions
Lockon » Ec-cube » Version: 2.11.4
cpe:2.3:a:lockon:ec-cube:2.11.4:*:*:*:*:*:*:*
Matching versions
Lockon » Ec-cube » Version: 2.11.5
cpe:2.3:a:lockon:ec-cube:2.11.5:*:*:*:*:*:*:*
Matching versions
Lockon » Ec-cube » Version: 2.12.1
cpe:2.3:a:lockon:ec-cube:2.12.1:*:*:*:*:*:*:*
Matching versions
Lockon » Ec-cube » Version: 2.12.3
cpe:2.3:a:lockon:ec-cube:2.12.3:*:*:*:*:*:*:*
Matching versions
Lockon » Ec-cube » Version: 2.12.3en
cpe:2.3:a:lockon:ec-cube:2.12.3en:*:*:*:*:*:*:*
Matching versions
Lockon » Ec-cube » Version: 2.12.3enp1
cpe:2.3:a:lockon:ec-cube:2.12.3enp1:*:*:*:*:*:*:*
Matching versions
Lockon » Ec-cube » Version: 2.12.3enp2
cpe:2.3:a:lockon:ec-cube:2.12.3enp2:*:*:*:*:*:*:*
Matching versions
Lockon » Ec-cube » Version: 2.12.0
cpe:2.3:a:lockon:ec-cube:2.12.0:*:*:*:*:*:*:*
Matching versions
Lockon » Ec-cube » Version: 2.12.2
cpe:2.3:a:lockon:ec-cube:2.12.2:*:*:*:*:*:*:*
Matching versions
Lockon » Ec-cube » Version: 2.12.5
cpe:2.3:a:lockon:ec-cube:2.12.5:*:*:*:*:*:*:*
Matching versions
Lockon » Ec-cube » Version: 2.12.5en
cpe:2.3:a:lockon:ec-cube:2.12.5en:*:*:*:*:*:*:*
Matching versions
Lockon » Ec-cube » Version: 2.12.4en
cpe:2.3:a:lockon:ec-cube:2.12.4en:*:*:*:*:*:*:*
Matching versions
Lockon » Ec-cube » Version: 2.12.6
cpe:2.3:a:lockon:ec-cube:2.12.6:*:*:*:*:*:*:*
Matching versions
Lockon » Ec-cube » Version: 2.12.6en
cpe:2.3:a:lockon:ec-cube:2.12.6en:*:*:*:*:*:*:*
Matching versions
Lockon » Ec-cube » Version: 2.13.0
cpe:2.3:a:lockon:ec-cube:2.13.0:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2013-5994

Exploit prediction scoring system (EPSS) score for CVE-2013-5994

CVSS scores for CVE-2013-5994

CWE ids for CVE-2013-5994

References for CVE-2013-5994

Products affected by CVE-2013-5994