CVE-2014-0808

Authorization bypass through user-controlled key issue exists in EC-CUBE 2.11.0 through 2.12.2 and EC-Orange systems deployed before June 29th, 2015. If this vulnerability is exploited, a user of the affected shopping website may obtain other users' information by sending a crafted HTTP request.

CVSS v3 9.1 CRITICAL
CVSS v2.0 5.0 MEDIUM

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://jvn.jp/en/jp/JVN51770585/
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000006
http://www.ec-cube.net/info/weakness/weakness.php?id=57	Vendor Advisory
https://ec-orange.jp/
https://jvn.jp/en/jp/JVN15637138/
https://jvndb.jvn.jp/jvndb/JVNDB-2024-000054
http://jvn.jp/en/jp/JVN51770585/
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000006
http://www.ec-cube.net/info/weakness/weakness.php?id=57	Vendor Advisory
https://ec-orange.jp/
https://jvn.jp/en/jp/JVN15637138/
https://jvndb.jvn.jp/jvndb/JVNDB-2024-000054

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:lockon:ec-cube:2.11.0:::::::*
	cpe:2.3:a:lockon:ec-cube:2.11.0:beta::::::
	cpe:2.3:a:lockon:ec-cube:2.11.0:beta2::::::
	cpe:2.3:a:lockon:ec-cube:2.11.1:::::::*
	cpe:2.3:a:lockon:ec-cube:2.11.2:::::::*
	cpe:2.3:a:lockon:ec-cube:2.11.3:::::::*
	cpe:2.3:a:lockon:ec-cube:2.11.4:::::::*
	cpe:2.3:a:lockon:ec-cube:2.11.5:::::::*
	cpe:2.3:a:lockon:ec-cube:2.12.0:::::::*
	cpe:2.3:a:lockon:ec-cube:2.12.1:::::::*
	cpe:2.3:a:lockon:ec-cube:2.12.2:::::::*

History

21 Nov 2024, 02:02

Type	Values Removed	Values Added
References	~~() http://jvn.jp/en/jp/JVN51770585/ -~~	() http://jvn.jp/en/jp/JVN51770585/ -
References	~~() http://jvndb.jvn.jp/jvndb/JVNDB-2014-000006 -~~	() http://jvndb.jvn.jp/jvndb/JVNDB-2014-000006 -
References	~~() http://www.ec-cube.net/info/weakness/weakness.php?id=57 - Vendor Advisory~~	() http://www.ec-cube.net/info/weakness/weakness.php?id=57 - Vendor Advisory
References	~~() https://ec-orange.jp/ -~~	() https://ec-orange.jp/ -
References	~~() https://jvn.jp/en/jp/JVN15637138/ -~~	() https://jvn.jp/en/jp/JVN15637138/ -
References	~~() https://jvndb.jvn.jp/jvndb/JVNDB-2024-000054 -~~	() https://jvndb.jvn.jp/jvndb/JVNDB-2024-000054 -

03 Jul 2024, 01:35

Type	Values Removed	Values Added
CVSS	v2 : ~~5.0~~ v3 : ~~unknown~~	v2 : 5.0 v3 : 9.1
CWE		CWE-566

11 Jun 2024, 06:15

Type	Values Removed	Values Added
Summary	(en) The lfCheckError function in data/class/pages/shopping/LC_Page_Shopping_Multiple.php in LOCKON EC-CUBE 2.11.0 through 2.12.2 allows remote attackers to obtain sensitive shipping information via unspecified vectors.	(en) Authorization bypass through user-controlled key issue exists in EC-CUBE 2.11.0 through 2.12.2 and EC-Orange systems deployed before June 29th, 2015. If this vulnerability is exploited, a user of the affected shopping website may obtain other users' information by sending a crafted HTTP request.
References	~~{'url': 'http://jvn.jp/en/jp/JVN51770585/index.html', 'source': 'vultures@jpcert.or.jp'}~~	() http://jvn.jp/en/jp/JVN51770585/ - () https://ec-orange.jp/ - () https://jvn.jp/en/jp/JVN15637138/ - () https://jvndb.jvn.jp/jvndb/JVNDB-2024-000054 -

Information

Published : 2014-01-22 21:55

Updated : 2025-04-11 00:51

NVD link : CVE-2014-0808

Mitre link : CVE-2014-0808

CVE.ORG link : CVE-2014-0808

JSON object : View

Products Affected

lockon

ec-cube

CWE

NVD-CWE-noinfo CWE-566

Authorization Bypass Through User-Controlled SQL Primary Key

{"id": "CVE-2014-0808", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2014-01-22T21:55:03.717", "references": [{"url": "http://jvn.jp/en/jp/JVN51770585/", "source": "vultures@jpcert.or.jp"}, {"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000006", "source": "vultures@jpcert.or.jp"}, {"url": "http://www.ec-cube.net/info/weakness/weakness.php?id=57", "tags": ["Vendor Advisory"], "source": "vultures@jpcert.or.jp"}, {"url": "https://ec-orange.jp/", "source": "vultures@jpcert.or.jp"}, {"url": "https://jvn.jp/en/jp/JVN15637138/", "source": "vultures@jpcert.or.jp"}, {"url": "https://jvndb.jvn.jp/jvndb/JVNDB-2024-000054", "source": "vultures@jpcert.or.jp"}, {"url": "http://jvn.jp/en/jp/JVN51770585/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000006", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.ec-cube.net/info/weakness/weakness.php?id=57", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://ec-orange.jp/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://jvn.jp/en/jp/JVN15637138/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://jvndb.jvn.jp/jvndb/JVNDB-2024-000054", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-566"}]}], "descriptions": [{"lang": "en", "value": "Authorization bypass through user-controlled key issue exists in EC-CUBE 2.11.0 through 2.12.2 and EC-Orange systems deployed before June 29th, 2015. If this vulnerability is exploited, a user of the affected shopping website may obtain other users' information by sending a crafted HTTP request."}, {"lang": "es", "value": "La funci\u00f3n IfCheckError en data/class/pages/shopping/LC_Page_Shopping_Multiple.php de LOCKON EC-CUBE 2.11.0 hasta la versi\u00f3n 2.12.2 permite a atacantes remotos obtener informaci\u00f3n de env\u00edo sensible a trav\u00e9s de vectores no especificados."}], "lastModified": "2025-04-11T00:51:21.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lockon:ec-cube:2.11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E37E68F4-EC08-4A33-8CD2-9B854E51A6E4"}, {"criteria": "cpe:2.3:a:lockon:ec-cube:2.11.0:beta:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A85840E-73A5-411D-912A-A1CEA7852904"}, {"criteria": "cpe:2.3:a:lockon:ec-cube:2.11.0:beta2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C34FB238-1A64-4CBB-AAF6-FDE6BA90A096"}, {"criteria": "cpe:2.3:a:lockon:ec-cube:2.11.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AC0C6C78-3FD3-4AA3-95B0-CF798396E802"}, {"criteria": "cpe:2.3:a:lockon:ec-cube:2.11.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "933ADEC5-451B-4DAA-AB23-7CD8A9A64954"}, {"criteria": "cpe:2.3:a:lockon:ec-cube:2.11.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3EFDD02C-56D4-480E-8FF3-E4B63554CB26"}, {"criteria": "cpe:2.3:a:lockon:ec-cube:2.11.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1C4BC181-D123-460C-9BF8-6B8FB800697C"}, {"criteria": "cpe:2.3:a:lockon:ec-cube:2.11.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8C40A7B5-639C-4390-B91E-BEC404B5ED1B"}, {"criteria": "cpe:2.3:a:lockon:ec-cube:2.12.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D261CC2-F7E5-437E-884B-D25C72F939C6"}, {"criteria": "cpe:2.3:a:lockon:ec-cube:2.12.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CA1710AF-A87A-4970-BF19-481040A7524A"}, {"criteria": "cpe:2.3:a:lockon:ec-cube:2.12.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7C72DED8-1073-47A9-B089-84E3ABC96401"}], "operator": "OR"}]}], "sourceIdentifier": "vultures@jpcert.or.jp"}

9.1 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2014-0808

9.1^/10

5.0^/10

Attach tags to `CVE-2014-0808`