CVE-2018-0658 - OpenCVE

Input validation issue in EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier allows an attacker with administrative rights to execute arbitrary PHP code on the server via unspecified vectors.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ec-cube	Ec-cube Ec-cube Payment Module
Gmo-pg	Gmo-pg Payment Module

Configuration 1 [-]

AND

OR	cpe:2.3:a:ec-cube:ec-cube_payment_module::::::::
	cpe:2.3:a:gmo-pg:gmo-pg_payment_module::::::::

cpe:2.3:a:ec-cube:ec-cube:2.11:*:*:*:*:*:*:*

Configuration 2 [-]

AND

OR	cpe:2.3:a:ec-cube:ec-cube_payment_module::::::::
	cpe:2.3:a:gmo-pg:gmo-pg_payment_module::::::::

cpe:2.3:a:ec-cube:ec-cube:2.12:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://jvn.jp/en/jp/JVN06372244/index.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2018-09-07T14:00:00

Updated: 2024-08-05T03:35:49.000Z

Reserved: 2017-11-27T00:00:00

Link: CVE-2018-0658

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-09-07T14:29:02.633

Modified: 2018-11-20T20:41:32.440

Link: CVE-2018-0658

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE", "vendor": "GMO Payment Gateway, Inc.", "versions": [{"status": "affected", "version": "(EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, and GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier)"}]}], "datePublic": "2018-08-09T00:00:00", "descriptions": [{"lang": "en", "value": "Input validation issue in EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier allows an attacker with administrative rights to execute arbitrary PHP code on the server via unspecified vectors."}], "problemTypes": [{"descriptions": [{"description": "Improper Input Validation", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-09-07T13:57:01", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert"}, "references": [{"name": "JVN#06372244", "tags": ["third-party-advisory", "x_refsource_JVN"], "url": "http://jvn.jp/en/jp/JVN06372244/index.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2018-0658", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE", "version": {"version_data": [{"version_value": "(EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, and GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier)"}]}}]}, "vendor_name": "GMO Payment Gateway, Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Input validation issue in EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier allows an attacker with administrative rights to execute arbitrary PHP code on the server via unspecified vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "JVN#06372244", "refsource": "JVN", "url": "http://jvn.jp/en/jp/JVN06372244/index.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:35:49.000Z"}, "title": "CVE Program Container", "references": [{"name": "JVN#06372244", "tags": ["third-party-advisory", "x_refsource_JVN", "x_transferred"], "url": "http://jvn.jp/en/jp/JVN06372244/index.html"}]}]}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2018-0658", "datePublished": "2018-09-07T14:00:00", "dateReserved": "2017-11-27T00:00:00", "dateUpdated": "2024-08-05T03:35:49.000Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ec-cube:ec-cube_payment_module:*:*:*:*:*:*:*:*", "matchCriteriaId": "7BD26589-55F6-4932-8C5E-9BEE82D41373", "versionEndIncluding": "2.3.17", "vulnerable": true}, {"criteria": "cpe:2.3:a:gmo-pg:gmo-pg_payment_module:*:*:*:*:*:*:*:*", "matchCriteriaId": "F47C5446-2A83-43CF-9AB5-EBBFBB4BAC9A", "versionEndIncluding": "2.3.17", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:ec-cube:ec-cube:2.11:*:*:*:*:*:*:*", "matchCriteriaId": "FA0DA371-7B35-4019-A67F-75F8CE0B691C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ec-cube:ec-cube_payment_module:*:*:*:*:*:*:*:*", "matchCriteriaId": "CF34BE6C-9913-4277-AAF8-30FDCE8129AE", "versionEndIncluding": "3.5.23", "vulnerable": true}, {"criteria": "cpe:2.3:a:gmo-pg:gmo-pg_payment_module:*:*:*:*:*:*:*:*", "matchCriteriaId": "D634F5CB-877B-43AB-9C57-E54C87164568", "versionEndIncluding": "3.5.23", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:ec-cube:ec-cube:2.12:*:*:*:*:*:*:*", "matchCriteriaId": "E1B9AF05-5211-47EB-B448-00709CFDFEDE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Input validation issue in EC-CUBE Payment Module (2.12) version 3.5.23 and earlier, EC-CUBE Payment Module (2.11) version 2.3.17 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) version 3.5.23 and earlier, GMO-PG Payment Module (PG Multi-Payment Service) (2.11) version 2.3.17 and earlier allows an attacker with administrative rights to execute arbitrary PHP code on the server via unspecified vectors."}, {"lang": "es", "value": "Problema de validaci\u00f3n de entradas en EC-CUBE Payment Module (2.12) en versiones 3.5.23 y anteriores, EC-CUBE Payment Module (2.11) en versiones 2.3.17 y anteriores, GMO-PG Payment Module (PG Multi-Payment Service) (2.12) en versiones 3.5.23 y anteriores y GMO-PG Payment Module (PG Multi-Payment Service) (2.11) en versiones 2.3.17 y anteriores permite que un atacante con permisos de administrador ejecute c\u00f3digo PHP arbitrario en el servidor mediante vectores sin especificar."}], "id": "CVE-2018-0658", "lastModified": "2018-11-20T20:41:32.440", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-09-07T14:29:02.633", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "http://jvn.jp/en/jp/JVN06372244/index.html"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}