CVE-2021-20717: 
PHP vulnerability analysis and mitigation

Cross-site scripting vulnerability affects EC-CUBE versions 4.0.0 to 4.0.5, discovered and disclosed on May 7, 2021. The vulnerability allows remote attackers to inject specially crafted scripts in specific input fields of EC websites created using EC-CUBE, potentially leading to arbitrary script execution in the administrator's web browser (JVN Report, EC-CUBE News).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS v3.1 score of 6.1 MEDIUM and CVSS v2.0 score of 4.3 MEDIUM. The vulnerability specifically affects the management page of EC-CUBE, where malicious scripts can be executed through specific operations (NVD, JVN Report).

If successfully exploited, the vulnerability allows attackers to execute arbitrary scripts in the administrator's web browser. Multiple sites have reported successful attacks, with some instances resulting in credit card information leakage (EC-CUBE News).

EC-CUBE has released version 4.0.5-p1 to address this vulnerability. Users are advised to either upgrade to this version or apply the provided hotfix patch. The cloud version (ec-cube.co) has been automatically patched. After applying the patch, users must clear their cache for the fix to take effect (EC-CUBE Release).

EC-CUBE has classified this as a high-severity vulnerability and is actively communicating updates through their official Twitter account. The company has also engaged with security firms for incident response and forensic investigation services (EC-CUBE News).