Authorization bypass through user-controlled key issue exists in EC-CUBE 2.11.0 through 2.12.2 and EC-Orange systems deployed before June 29th, 2015. If this vulnerability is exploited, a user of the affected shopping website may obtain other users' information by sending a crafted HTTP request.

Affected Packages

Packagist ec-cube/ec-cube

Affected versions: 2.11.0 (fixed in 2.12.2)

Related CVEs

CVE-2014-0808

Key Information

GHSA ID

GHSA-j2hg-w4p4-6rvm

Published

May 17, 2022 4:54 AM

Last Modified

June 11, 2024 7:29 PM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

ec-cube/ec-cube

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 15, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.