Cross-site scripting vulnerability in EC-CUBE EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific operation.

Affected Packages

Packagist ec-cube/ec-cube

Affected versions: 4.0.0 (fixed in 4.0.6)

Related CVEs

CVE-2021-20751

Key Information

GHSA ID

GHSA-r6qq-qc9m-98w2

Published

May 24, 2022 7:06 PM

Last Modified

April 25, 2024 8:40 PM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

ec-cube/ec-cube

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 9, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.