CSRF in Lockon Ec-cube

CVE-2015-5665

Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE 2.11.0 through 2.13.3 allows remote attackers to hijack the authentication of arbitrary users for requests that write to PHP scripts, related to the doValidToken function.

Vulnerability class: CSRF (Cross-Site Request Forgery)

EPSS: 0.001 (34.8th percentile) — read the EPSS interpretation.

Affected products

Lockon Ec-cube — versions 2.11.0, 2.11.1, 2.11.2
N/a — versions n/a

Weakness classification (CWE)

CWE-352 — Cross-Site Request Forgery (CSRF)

References

vultures@jpcert.or.jp (x_refsource_CONFIRM, Vendor Advisory)
JVNDB-2015-000166 (x_refsource_JVNDB, third-party-advisory, Vendor Advisory)
JVN#97278546 (x_refsource_JVN, third-party-advisory, Vendor Advisory)
vultures@jpcert.or.jp (x_refsource_CONFIRM, Vendor Advisory)