CVE-2014-0808 - Vulnerability Details - OpenCVE

Authorization bypass through user-controlled key issue exists in EC-CUBE 2.11.0 through 2.12.2 and EC-Orange systems deployed before June 29th, 2015. If this vulnerability is exploited, a user of the affected shopping website may obtain other users' information by sending a crafted HTTP request.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Lockon	Ec-cube

Configuration 1 [-]

OR	cpe:2.3:a:lockon:ec-cube:2.11.0:::::::*
	cpe:2.3:a:lockon:ec-cube:2.11.0:beta::::::
	cpe:2.3:a:lockon:ec-cube:2.11.0:beta2::::::
	cpe:2.3:a:lockon:ec-cube:2.11.1:::::::*
	cpe:2.3:a:lockon:ec-cube:2.11.2:::::::*
	cpe:2.3:a:lockon:ec-cube:2.11.3:::::::*
	cpe:2.3:a:lockon:ec-cube:2.11.4:::::::*
	cpe:2.3:a:lockon:ec-cube:2.11.5:::::::*
	cpe:2.3:a:lockon:ec-cube:2.12.0:::::::*
	cpe:2.3:a:lockon:ec-cube:2.12.1:::::::*
	cpe:2.3:a:lockon:ec-cube:2.12.2:::::::*

No data.

References

Link	Providers
http://jvn.jp/en/jp/JVN51770585/
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000006
http://www.ec-cube.net/info/weakness/weakness.php?id=57
https://ec-orange.jp/
https://jvn.jp/en/jp/JVN15637138/
https://jvndb.jvn.jp/jvndb/JVNDB-2024-000054

History

No history.

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2014-01-22T21:00:00

Updated: 2024-08-06T09:27:20.153Z

Reserved: 2014-01-06T00:00:00

Link: CVE-2014-0808

Vulnrichment

Updated: 2024-08-06T09:27:20.153Z

NVD

Status : Deferred

Published: 2014-01-22T21:55:03.717

Modified: 2025-04-11T00:51:21.963

Link: CVE-2014-0808

Redhat

No data.

{"containers": {"cna": {"affected": [{"vendor": "EC-CUBE CO.,LTD.", "product": "EC-CUBE", "versions": [{"version": "2.11.0 through 2.12.2", "status": "affected"}]}, {"vendor": "S\u2011cubism Inc.", "product": "EC-Orange", "versions": [{"version": "systems deployed before June 29th", "status": "affected"}, {"version": " 2015", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "Authorization bypass through user-controlled key issue exists in EC-CUBE 2.11.0 through 2.12.2 and EC-Orange systems deployed before June 29th, 2015. If this vulnerability is exploited, a user of the affected shopping website may obtain other users' information by sending a crafted HTTP request."}], "problemTypes": [{"descriptions": [{"description": "Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "text"}]}], "references": [{"url": "http://www.ec-cube.net/info/weakness/weakness.php?id=57"}, {"url": "http://jvn.jp/en/jp/JVN51770585/"}, {"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000006"}, {"url": "https://ec-orange.jp/"}, {"url": "https://jvn.jp/en/jp/JVN15637138/"}, {"url": "https://jvndb.jvn.jp/jvndb/JVNDB-2024-000054"}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2024-06-11T05:17:08.940Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-566", "lang": "en", "description": "CWE-566 Authorization Bypass Through User-Controlled SQL Primary Key"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-06-11T14:04:20.266694Z", "id": "CVE-2014-0808", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-11T14:07:16.517Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:27:20.153Z"}, "title": "CVE Program Container", "references": [{"url": "http://www.ec-cube.net/info/weakness/weakness.php?id=57", "tags": ["x_transferred"]}, {"url": "http://jvn.jp/en/jp/JVN51770585/", "tags": ["x_transferred"]}, {"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000006", "tags": ["x_transferred"]}, {"url": "https://ec-orange.jp/", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/jp/JVN15637138/", "tags": ["x_transferred"]}, {"url": "https://jvndb.jvn.jp/jvndb/JVNDB-2024-000054", "tags": ["x_transferred"]}]}]}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2014-0808", "datePublished": "2014-01-22T21:00:00", "dateReserved": "2014-01-06T00:00:00", "dateUpdated": "2024-08-06T09:27:20.153Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.ec-cube.net/info/weakness/weakness.php?id=57", "tags": ["x_transferred"]}, {"url": "http://jvn.jp/en/jp/JVN51770585/", "tags": ["x_transferred"]}, {"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000006", "tags": ["x_transferred"]}, {"url": "https://ec-orange.jp/", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/jp/JVN15637138/", "tags": ["x_transferred"]}, {"url": "https://jvndb.jvn.jp/jvndb/JVNDB-2024-000054", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:27:20.153Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2014-0808", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-11T14:04:20.266694Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-566", "description": "CWE-566 Authorization Bypass Through User-Controlled SQL Primary Key"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-11T14:05:05.554Z"}}], "cna": {"affected": [{"vendor": "EC-CUBE CO.,LTD.", "product": "EC-CUBE", "versions": [{"status": "affected", "version": "2.11.0 through 2.12.2"}]}, {"vendor": "S\u2011cubism Inc.", "product": "EC-Orange", "versions": [{"status": "affected", "version": "systems deployed before June 29th"}, {"status": "affected", "version": " 2015"}]}], "references": [{"url": "http://www.ec-cube.net/info/weakness/weakness.php?id=57"}, {"url": "http://jvn.jp/en/jp/JVN51770585/"}, {"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000006"}, {"url": "https://ec-orange.jp/"}, {"url": "https://jvn.jp/en/jp/JVN15637138/"}, {"url": "https://jvndb.jvn.jp/jvndb/JVNDB-2024-000054"}], "descriptions": [{"lang": "en", "value": "Authorization bypass through user-controlled key issue exists in EC-CUBE 2.11.0 through 2.12.2 and EC-Orange systems deployed before June 29th, 2015. If this vulnerability is exploited, a user of the affected shopping website may obtain other users' information by sending a crafted HTTP request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2024-06-11T05:17:08.940Z"}}}, "cveMetadata": {"cveId": "CVE-2014-0808", "state": "PUBLISHED", "dateUpdated": "2024-08-06T09:27:20.153Z", "dateReserved": "2014-01-06T00:00:00", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2014-01-22T21:00:00", "assignerShortName": "jpcert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lockon:ec-cube:2.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "E37E68F4-EC08-4A33-8CD2-9B854E51A6E4", "vulnerable": true}, {"criteria": "cpe:2.3:a:lockon:ec-cube:2.11.0:beta:*:*:*:*:*:*", "matchCriteriaId": "8A85840E-73A5-411D-912A-A1CEA7852904", "vulnerable": true}, {"criteria": "cpe:2.3:a:lockon:ec-cube:2.11.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "C34FB238-1A64-4CBB-AAF6-FDE6BA90A096", "vulnerable": true}, {"criteria": "cpe:2.3:a:lockon:ec-cube:2.11.1:*:*:*:*:*:*:*", "matchCriteriaId": "AC0C6C78-3FD3-4AA3-95B0-CF798396E802", "vulnerable": true}, {"criteria": "cpe:2.3:a:lockon:ec-cube:2.11.2:*:*:*:*:*:*:*", "matchCriteriaId": "933ADEC5-451B-4DAA-AB23-7CD8A9A64954", "vulnerable": true}, {"criteria": "cpe:2.3:a:lockon:ec-cube:2.11.3:*:*:*:*:*:*:*", "matchCriteriaId": "3EFDD02C-56D4-480E-8FF3-E4B63554CB26", "vulnerable": true}, {"criteria": "cpe:2.3:a:lockon:ec-cube:2.11.4:*:*:*:*:*:*:*", "matchCriteriaId": "1C4BC181-D123-460C-9BF8-6B8FB800697C", "vulnerable": true}, {"criteria": "cpe:2.3:a:lockon:ec-cube:2.11.5:*:*:*:*:*:*:*", "matchCriteriaId": "8C40A7B5-639C-4390-B91E-BEC404B5ED1B", "vulnerable": true}, {"criteria": "cpe:2.3:a:lockon:ec-cube:2.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "2D261CC2-F7E5-437E-884B-D25C72F939C6", "vulnerable": true}, {"criteria": "cpe:2.3:a:lockon:ec-cube:2.12.1:*:*:*:*:*:*:*", "matchCriteriaId": "CA1710AF-A87A-4970-BF19-481040A7524A", "vulnerable": true}, {"criteria": "cpe:2.3:a:lockon:ec-cube:2.12.2:*:*:*:*:*:*:*", "matchCriteriaId": "7C72DED8-1073-47A9-B089-84E3ABC96401", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Authorization bypass through user-controlled key issue exists in EC-CUBE 2.11.0 through 2.12.2 and EC-Orange systems deployed before June 29th, 2015. If this vulnerability is exploited, a user of the affected shopping website may obtain other users' information by sending a crafted HTTP request."}, {"lang": "es", "value": "La funci\u00f3n IfCheckError en data/class/pages/shopping/LC_Page_Shopping_Multiple.php de LOCKON EC-CUBE 2.11.0 hasta la versi\u00f3n 2.12.2 permite a atacantes remotos obtener informaci\u00f3n de env\u00edo sensible a trav\u00e9s de vectores no especificados."}], "id": "CVE-2014-0808", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2014-01-22T21:55:03.717", "references": [{"source": "vultures@jpcert.or.jp", "url": "http://jvn.jp/en/jp/JVN51770585/"}, {"source": "vultures@jpcert.or.jp", "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000006"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "http://www.ec-cube.net/info/weakness/weakness.php?id=57"}, {"source": "vultures@jpcert.or.jp", "url": "https://ec-orange.jp/"}, {"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN15637138/"}, {"source": "vultures@jpcert.or.jp", "url": "https://jvndb.jvn.jp/jvndb/JVNDB-2024-000054"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://jvn.jp/en/jp/JVN51770585/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000006"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.ec-cube.net/info/weakness/weakness.php?id=57"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://ec-orange.jp/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://jvn.jp/en/jp/JVN15637138/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://jvndb.jvn.jp/jvndb/JVNDB-2024-000054"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-566"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}