{"id":"CVE-2023-40281","details":"EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in \"mail/template\" and \"products/product\" of Management page.\r\nIf this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using the product.","modified":"2026-04-10T05:00:45.209494Z","published":"2023-08-17T07:15:44.153Z","references":[{"type":"ADVISORY","url":"https://jvn.jp/en/jp/JVN46993816/"},{"type":"FIX","url":"https://www.ec-cube.net/info/weakness/20230727/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ec-cube/ec-cube","events":[{"introduced":"1004363cf13cc929c0e077c0ac849a6d3c8c10bb"},{"last_affected":"13dfb352e47c6f231ead5e5b62dc0ec11e354789"},{"introduced":"e2547e2d1775ceacd7c73e1b72d5512efcdb45e7"},{"last_affected":"92fe8f744181641bb8ce0db28b988b089004fbfa"}],"database_specific":{"versions":[{"introduced":"2.11.0"},{"last_affected":"2.11.5"},{"introduced":"2.12.0"},{"last_affected":"2.12.6"}]}},{"type":"GIT","repo":"https://github.com/ec-cube/ec-cube2","events":[{"introduced":"9d428d236baa44358f56a38b3ba336222535f7fd"},{"fixed":"25e9c8c90ed17ce6857b78570e403bfa11095941"},{"introduced":"0f4bf44ed1980ed45b18fc4dfa1543f51c57c48e"},{"fixed":"eb43f49065a0e5f6c5367a5d2ae5fd994a5e3bb5"},{"introduced":"0"},{"last_affected":"25e9c8c90ed17ce6857b78570e403bfa11095941"},{"introduced":"0"},{"last_affected":"2778c65b3d56c32ba423a0b3f8a1bed1b963ff30"},{"introduced":"0"},{"last_affected":"eb43f49065a0e5f6c5367a5d2ae5fd994a5e3bb5"},{"introduced":"0"},{"last_affected":"073dbc8d37086bcb13bc8460cd244ccffa1830ac"}],"database_specific":{"versions":[{"introduced":"2.13.0"},{"fixed":"2.13.5"},{"introduced":"2.17.0"},{"fixed":"2.17.2"},{"introduced":"0"},{"last_affected":"2.13.5-NA"},{"introduced":"0"},{"last_affected":"2.13.5-patch1"},{"introduced":"0"},{"last_affected":"2.17.2-NA"},{"introduced":"0"},{"last_affected":"2.17.2-patch1"}]}}],"versions":["2.13.5-p1","eccube-2.13.4","eccube-2.13.5","eccube-2.17.0","eccube-2.17.1","eccube-2.17.1-RC","eccube-2.17.2","eccube-2.17.2-p1","eccube2-weekly-20201110","eccube2-weekly-20201117","eccube2-weekly-20201124","eccube2-weekly-20201201","eccube2-weekly-20201208","eccube2-weekly-20201215","eccube2-weekly-20201222","eccube2-weekly-20201229","eccube2-weekly-20210105","eccube2-weekly-20210112","eccube2-weekly-20210119","eccube2-weekly-20210126","eccube2-weekly-20210202","eccube2-weekly-20210209","eccube2-weekly-20210216","eccube2-weekly-20210223","eccube2-weekly-20210302","eccube2-weekly-20210309","eccube2-weekly-20210316","eccube2-weekly-20210323","eccube2-weekly-20210330","eccube2-weekly-20210406","eccube2-weekly-20210413","eccube2-weekly-20210420","eccube2-weekly-20210427","eccube2-weekly-20210504","eccube2-weekly-20210511","eccube2-weekly-20210525","eccube2-weekly-20210601","eccube2-weekly-20210608","eccube2-weekly-20210615","eccube2-weekly-20210622","eccube2-weekly-20210629","eccube2-weekly-20210706","eccube2-weekly-20210713","eccube2-weekly-20210720","eccube2-weekly-20210727","eccube2-weekly-20210803","eccube2-weekly-20210817","eccube2-weekly-20210824","eccube2-weekly-20210831","eccube2-weekly-20210907","eccube2-weekly-20210914","eccube2-weekly-20210921","eccube2-weekly-20210928","eccube2-weekly-20211005","eccube2-weekly-20211012","eccube2-weekly-20211019","eccube2-weekly-20211026","eccube2-weekly-20211102","eccube2-weekly-20211109"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40281.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"}]}