DOM-based cross-site scripting vulnerability in EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote attacker to inject an arbitrary script by having an administrative user of the product to visit a specially crafted page.

Affected Packages

Packagist ec-cube/ec-cube

Affected versions: 4.0.0 (last affected: 4.1.2)

Related CVEs

CVE-2022-38975

Key Information

GHSA ID

GHSA-pggw-rqfm-72rh

Published

September 28, 2022 12:00 AM

Last Modified

April 25, 2024 8:41 PM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

ec-cube/ec-cube

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 10, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.