Skip to content

Instantly share code, notes, and snippets.

@alon710

alon710/GHSA-7RHV-H82H-VPJH.md

Created March 6, 2026 03:40
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alon710/b119ab0b79d3948851f5466db17d7a6f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alon710/b119ab0b79d3948851f5466db17d7a6f to your computer and use it in GitHub Desktop.
Download ZIP
GHSA-7RHV-H82H-VPJH: CVE-2026-30777: MFA Bypass in EC-CUBE Administrative Interface - CVE Security Report
Raw
GHSA-7RHV-H82H-VPJH.md

GHSA-7RHV-H82H-VPJH: CVE-2026-30777: MFA Bypass in EC-CUBE Administrative Interface

CVSS Score: 4.9 Published: 2026-03-05 Full Report: https://cvereports.com/reports/GHSA-7RHV-H82H-VPJH

Summary

EC-CUBE, a widely used open-source e-commerce platform, contains a critical authentication bypass vulnerability in its Multi-Factor Authentication (MFA) implementation. The flaw allows an attacker who possesses valid administrative credentials (username and password) to bypass the secondary MFA challenge by directly accessing the MFA configuration route. This route was improperly excluded from the authentication listener's enforcement logic, allowing the attacker to overwrite the existing TOTP secret with a new one under their control, effectively taking over the administrator account.

TL;DR

An improper route exclusion in EC-CUBE's MFA logic allows attackers with valid passwords to bypass 2FA. By navigating directly to the setup URL, attackers can overwrite the victim's MFA secret key without passing the initial challenge. Fixed in versions 4.3.1-p1, 4.2.3-p2, and 4.1.2-p5.

Exploit Status: POC

Technical Details

  • CWE ID: CWE-288
  • Attack Vector: Network
  • CVSS v3.1: 4.9 (Medium)
  • CVSS v4.0: 6.9 (Medium)
  • Impact: Authentication Bypass
  • EPSS Score: 0.06%

Affected Systems

  • EC-CUBE 4.1.x
  • EC-CUBE 4.2.x
  • EC-CUBE 4.3.x
  • EC-CUBE: >= 4.1.0, <= 4.1.2 (Fixed in: 4.1.2-p5)
  • EC-CUBE: >= 4.2.0, <= 4.2.3 (Fixed in: 4.2.3-p2)
  • EC-CUBE: >= 4.3.0, <= 4.3.1 (Fixed in: 4.3.1-p1)

Mitigation

  • Update EC-CUBE to the latest patch version immediately.
  • Restrict access to the /admin directory to trusted IP addresses.
  • Monitor access logs for direct requests to 'admin_two_factor_auth_set' without a preceding MFA success.

Remediation Steps:

  1. Identify the running version of EC-CUBE (4.1, 4.2, or 4.3).
  2. Download the corresponding patch plugin or source update from the official EC-CUBE site.
  3. Apply the patch using the command line: bin/console eccube:composer:update or via the plugin manager.
  4. Clear the application cache: bin/console cache:clear.
  5. Verify the fix by attempting to access /admin/setting/system/two_factor_auth/set while logged in as an admin with active MFA. You should be redirected.

References

Generated by CVEReports - Automated Vulnerability Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment