CVE-2023-40281: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

August 17, 2023 (updated August 23, 2023)

EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in “mail/template” and “products/product” of Management page. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using the product.

References

jvn.jp/en/jp/JVN46993816/
nvd.nist.gov/vuln/detail/CVE-2023-40281
www.ec-cube.net/info/weakness/20230727/

Code Behaviors & Features

Detect and mitigate CVE-2023-40281 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →