CVE-2022-25355
CVE-2022-25355 is a medium-severity vulnerability in Ec-cube with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-913.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- CVSS v2: 5.0
- EPSS exploit prediction: 1% (63rd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-913
- Affected product: Ec-cube
- Published:
- Last modified:
Description
EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users.
Frequently asked questions
- What is CVE-2022-25355?
- EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users.
- How severe is CVE-2022-25355?
- CVE-2022-25355 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
- Is CVE-2022-25355 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (63rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-25355?
- CVE-2022-25355 primarily affects Ec-cube. In total, 5 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-25355?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2022-25355 published?
- CVE-2022-25355 was published on 2022-02-24 and last updated on 2026-06-17.
References
Affected products (5)
- cpe:2.3:a:ec-cube:ec-cube:*:*:*:*:*:*:*:*
- cpe:2.3:a:ec-cube:ec-cube:3.0.18:-:*:*:*:*:*:*
- cpe:2.3:a:ec-cube:ec-cube:3.0.18:p1:*:*:*:*:*:*
- cpe:2.3:a:ec-cube:ec-cube:3.0.18:p2:*:*:*:*:*:*
- cpe:2.3:a:ec-cube:ec-cube:3.0.18:p3:*:*:*:*:*:*
More vulnerabilities in Ec-cube
- CVE-2020-5590 — High (CVSS 8.1): Directory traversal vulnerability in EC-CUBE 3.0.0 to 3.0.18 and 4.0.0 to 4.0.3 allows remote authenticated attackers…
- CVE-2021-20778 — High (CVSS 7.5): Improper access control vulnerability in EC-CUBE 4.0.6 (EC-CUBE 4 series) allows a remote attacker to bypass access…
- CVE-2020-5680 — High (CVSS 7.5): Improper input validation vulnerability in EC-CUBE versions from 3.0.5 to 3.0.18 allows a remote attacker to cause a…
- CVE-2008-4991 — High (CVSS 7.5): SQL injection vulnerability in LOCKON CO.,LTD. EC-CUBE 2.3.0 and earlier, 1.4.7 and earlier, and 1.5.0-beta2 and…
- CVE-2008-4534 — High (CVSS 7.5): SQL injection vulnerability in EC-CUBE Ver2 2.1.2a and earlier, and Ver2 RC 2.3.0-rc1 and earlier, allows remote…
- CVE-2023-46845 — High (CVSS 7.2): EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain…
Other CWE-913 vulnerabilities
- CVE-2026-47208 — Critical (CVSS 10.0): vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout…
- CVE-2026-47137 — Critical (CVSS 10.0): vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903)…
- CVE-2026-47131 — Critical (CVSS 10.0): vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining…
- CVE-2023-29017 — Critical (CVSS 10.0): vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was…
- CVE-2022-36067 — Critical (CVSS 10.0): vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version…
- CVE-2026-34156 — Critical (CVSS 9.9): NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior…