{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "4.0.0" }, { "last_affected": "4.0.6" }, { "introduced": "4.1.0" }, { "last_affected": "4.1.2" }, { "introduced": "0" }, { "last_affected": "4.0.6-p1" }, { "introduced": "0" }, { "last_affected": "4.0.6-p2" }, { "introduced": "0" }, { "last_affected": "4.1.2-p1" }, { "introduced": "0" }, { "last_affected": "4.2.0" } ] }, "events": [ { "introduced": "00ef39551273847cff9b737f98f120a50d4320cc" }, { "last_affected": "c6838851eade4903e90a0d4294f8342f2178e067" }, { "introduced": "5d02dde61f824fb9e264d003f59afc4663811567" }, { "last_affected": "710b64ce96786770fe59ba8255ff16925171f172" }, { "introduced": "0" }, { "last_affected": "8d81525bfe50caf159d9a4fb31124f479c6b658e" }, { "introduced": "0" }, { "last_affected": "70de60feb792923ef751f2876add23f612777fa0" }, { "introduced": "0" }, { "last_affected": "56786c9bb456ad52fa1f3b16dd9e675cc4a480fa" }, { "introduced": "0" }, { "last_affected": "0fbb7b3a340c75f2860123d5e01d706f8a15127b" } ], "repo": "https://github.com/ec-cube/ec-cube", "type": "GIT" } ] } ], "details": "Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.", "id": "CVE-2023-25077", "modified": "2026-03-13T21:52:35.434161897Z", "published": "2023-03-06T00:15:10.900Z", "references": [ { "type": "ADVISORY", "url": "https://jvn.jp/en/jp/JVN04785663/" }, { "type": "FIX", "url": "https://www.ec-cube.net/info/weakness/20230214/" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "type": "CVSS_V3" } ] }