6.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-7rhv-h82h-vpjh

GHSA-7rhv-h82h-vpjh: EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface

Vulnerability Allowing MFA Bypass

Affected EC-CUBE Versions

Versions: 4.1.0 – 4.3.1

Vulnerability Overview

If an administrator’s ID and password are compromised, an issue exists that allows an attacker to bypass the normally required two-factor authentication (2FA) and log in to the administrative interface.

Severity and Impact

CVSS v3.1 score
Base score: 6.2 / Temporal score: 5.7 / Environmental score (after mitigation and countermeasures): 0.0

An attacker can forcibly overwrite the 2FA configuration of an account with administrative privileges. As a result, the legitimate administrator can be locked out, while the attacker can log in to the administrative interface and perform unauthorized actions such as viewing sensitive information or tampering with the website.

Root Cause Details

There are flaws in the access control implementation for the 2FA settings page (/admin/two_factor_auth/set).

TwoFactorAuthListener.php
The route for the 2FA settings page (admin_two_factor_auth_set) is included in the list of routes excluded from the 2FA authentication check.
TwoFactorAuthController.php
Even for users who already have 2FA configured, the implementation allows reconfiguration (overwriting) of the 2FA secret key without passing 2FA authentication.

Attack Preconditions and Steps

Preconditions:

The attacker knows the administrative user’s ID and password.
2FA is enabled for that user.

Attack Steps:

Attempt to log in using the ID and password.
When the 2FA code entry screen is displayed, do not enter a code; instead, directly modify the URL to access /admin/two_factor_auth/set.
Because access is not denied, the attacker can generate and save (overwrite) a new 2FA secret key.

Miggo Vulnerability Database

→

GHSA-7rhv-h82h-vpjh

GHSA-7rhv-h82h-vpjh:

6.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ec-cube/ec-cube	composer	>= 4.1.0, <= 4.3.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows a Multi-Factor Authentication (MFA) bypass in EC-CUBE's administrative interface. The root cause lies in improper access control for the 2FA settings page. An attacker who has obtained an administrator's username and password can exploit this.

The analysis of the patch commit 094785943bfc3815c29f0cce9dbabb9bcc688474 reveals two key flaws that were fixed:

Unconditional Route Exclusion: In src/Eccube/EventListener/TwoFactorAuthListener.php, the onKernelController method was responsible for enforcing 2FA. However, it unconditionally excluded the 2FA setup route (admin_two_factor_auth_set) from this check. This allowed an authenticated (via password) but not 2FA-verified user to navigate directly to the 2FA setup page.
Lack of State Check in Controller: In src/Eccube/Controller/Admin/Setting/System/TwoFactorAuthController.php, the set method handled the logic for setting up a new 2FA device. This method did not verify if the user had already configured 2FA. An attacker could therefore access this page and overwrite the legitimate administrator's 2FA secret key, locking them out and allowing the attacker to generate their own valid 2FA codes.

The patch addresses these issues by:

Modifying TwoFactorAuthListener to only exclude the setup route from the 2FA check if the user has not yet configured a 2FA key.
Adding a check in TwoFactorAuthController::set to verify if a 2FA key is already configured. If it is, the user is redirected to the 2FA authentication page, preventing an unverified user from re-configuring the key.

During an exploit, a profiler would show calls to Eccube\EventListener\TwoFactorAuthListener::onKernelController followed by Eccube\Controller\Admin\Setting\System\TwoFactorAuthController::set as the attacker accesses the vulnerable endpoint to reset the MFA configuration.

Vulnerable functions

Eccube\Controller\Admin\Setting\System\TwoFactorAuthController::set

src/Eccube/Controller/Admin/Setting/System/TwoFactorAuthController.php

The `set` function in `TwoFactorAuthController` did not check if a user already had a 2FA key configured. This allowed an attacker who had compromised a user's credentials to access the 2FA setup page directly and overwrite the existing 2FA secret without needing to pass the initial 2FA challenge. The patch adds a check to redirect to the authentication page if a key is already present.

Eccube\EventListener\TwoFactorAuthListener::onKernelController

src/Eccube/EventListener/TwoFactorAuthListener.php

The `onKernelController` function, which is triggered on kernel controller events, used a constant `ROUTE_EXCLUDE` to bypass 2FA checks for certain routes. The `admin_two_factor_auth_set` route was included in this exclusion list. This meant that any user who had passed the initial password authentication could access the 2FA setup page without a 2FA challenge, even if 2FA was already enabled for their account. The patch removes this route from the unconditional exclusion and adds logic to only exclude it if the user has not yet configured a 2FA key.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.7

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-7rhv-h82h-vpjh: EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface

Vulnerability Allowing MFA Bypass

Affected EC-CUBE Versions

Vulnerability Overview

Severity and Impact

Root Cause Details

Attack Preconditions and Steps

GHSA-7rhv-h82h-vpjh:

6.7

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

6.7

6.7

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Technical Details

GHSA-7rhv-h82h-vpjh: EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface

Vulnerability Allowing MFA Bypass

Affected EC-CUBE Versions

Vulnerability Overview

Severity and Impact

Root Cause Details

Attack Preconditions and Steps

MFAバイパスが可能な脆弱性

EC-CUBEバージョン

脆弱性の概要

深刻度と影響

脆弱性の詳細な原因

攻撃の成立条件と手順

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI