CVE-2022-25355

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-25355
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25355.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-25355
Aliases
Published
2022-02-24T15:15:31.490Z
Modified
2026-03-14T01:45:02.769848Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users.

References

Affected packages

Git / github.com/ec-cube/ec-cube

Affected ranges

Type
GIT
Repo
https://github.com/ec-cube/ec-cube
Events
Introduced
4ef1c4f8d51fd9d54a704300a26c65a278dc697a
Fixed
525aaa9f44407903f5cc20b371a5dd199ddae549
Introduced
00ef39551273847cff9b737f98f120a50d4320cc
Last affected
ef6b938f284a40bba78689dae5e8566a339fba13
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
525aaa9f44407903f5cc20b371a5dd199ddae549
Database specific 
{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.0.18"
        },
        {
            "introduced": "4.0.0"
        },
        {
            "last_affected": "4.1.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.0.18-NA"
        }
    ]
}
Type
GIT
Repo
https://github.com/ec-cube/ec-cube3
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
14cd0cf79cec92be106bccb26eb3b84146b75876
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
c0cbef490ebc9e9a9b1c54bf13c8296d17862d4d
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
20465ad72bdb3e9342c903846c86c7a70805e58c
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.0.18-p1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.0.18-p2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.0.18-p3"
        }
    ]
}

Affected versions

3.*
3.0.0
3.0.0-beta0
3.0.0-beta1
3.0.0-beta2
3.0.0-beta3
3.0.0-beta4
3.0.1
3.0.10
3.0.11
3.0.11-RC
3.0.11-pre
3.0.12
3.0.12-p1
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.0.18-p1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.1.0-alpha
3.1.0-alpha2
3.1.0-alpha3
3.n-alpha4
3.n-alpha5
3.n-alpha6
4.*
4.0-beta
4.0-beta2
4.0.0
4.0.0-rc
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.5-p1
4.0.5-rc
4.0.6
4.1-beta
4.1-beta2
4.1-beta3
4.1-beta3-20210831
4.1-beta3-20210901
4.1-beta3-20210903
4.1-rc
4.1.0
4.1.1
4.1.1-20211130
Other
co/20190306
co/20190313
co/20190404
co/20190417
co/20190508
co/20190613
co/20190710
co/20190718
co/20190808
co/20190822
co/20190829
co/20190905
co/20190912
co/20190930
co/20191017
co/20191031
co/20191114
co/20191128
co/20191212
co/4.*
co/4.1-20211111
co/4.1-20211118
co/4.1-20211125
co/4.1-20211202
eccube-3.*
eccube-3.0.0-alpha

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25355.json"