EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users.

Affected Packages

Packagist ec-cube/ec-cube

Affected versions: 3.0.0 (last affected: 3.0.18-p3)

Packagist ec-cube/ec-cube

Affected versions: 4.0.0 (fixed in 4.1.2)

Related CVEs

CVE-2022-25355

Key Information

GHSA ID

GHSA-pw97-6v74-9w3p

Published

February 25, 2022 12:01 AM

Last Modified

April 25, 2024 8:40 PM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

ec-cube/ec-cube

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 9, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.