Search criteria
39 vulnerabilities found for eshop by oxid-esales
FKIE_CVE-2024-56526
Vulnerability from fkie_nvd - Published: 2025-05-13 16:15 - Updated: 2025-07-15 16:21
Severity ?
Summary
An issue was discovered in OXID eShop before 7. CMS pages in combination with Smarty may display user information if a CMS page contains a Smarty syntax error.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://bugs.oxid-esales.com/view.php?id=7743 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oxid-esales | eshop | 6.5.0 | |
| oxid-esales | eshop | 6.5.0 | |
| oxid-esales | eshop | 7.0.0 | |
| oxid-esales | eshop | 7.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.5.0:*:*:*:community:*:*:*",
"matchCriteriaId": "B654A612-C2B7-44F5-B739-1261FDF82F6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.5.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0AEFCAEF-0615-464E-9265-B80AF30B6153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:7.0.0:*:*:*:community:*:*:*",
"matchCriteriaId": "5927C75A-B571-4DD6-9C05-A15CCB5D4F2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:7.0.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "C14F4ECE-F1AA-4F42-BABC-CEFD5B28E7F9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in OXID eShop before 7. CMS pages in combination with Smarty may display user information if a CMS page contains a Smarty syntax error."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en OXID eShop anterior a la versi\u00f3n 7. Las p\u00e1ginas CMS en combinaci\u00f3n con Smarty pueden mostrar informaci\u00f3n del usuario si una p\u00e1gina CMS contiene un error de sintaxis de Smarty."
}
],
"id": "CVE-2024-56526",
"lastModified": "2025-07-15T16:21:35.763",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-05-13T16:15:28.380",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://bugs.oxid-esales.com/view.php?id=7743"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-38330
Vulnerability from fkie_nvd - Published: 2023-08-02 15:15 - Updated: 2024-11-21 08:13
Severity ?
Summary
OXID eShop Enterprise Edition 6.5.0 – 6.5.2 before 6.5.3 allows uploading files with modified headers in the administration area. An attacker can upload a file with a modified header to create a HTTP Response Splitting attack.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oxid-esales | eshop | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "6ACFB3E2-42D6-40B1-BA15-00322A7BE2BC",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OXID eShop Enterprise Edition 6.5.0 \u2013 6.5.2 before 6.5.3 allows uploading files with modified headers in the administration area. An attacker can upload a file with a modified header to create a HTTP Response Splitting attack."
},
{
"lang": "es",
"value": "OXID eShop Enterprise Edition 6.5.0 - 6.5.2 antes de 6.5.3 permite subir archivos con cabeceras modificadas en el \u00e1rea de administraci\u00f3n. Un atacante puede subir un archivo con una cabecera modificada para crear un ataque de separaci\u00f3n de respuesta HTTP. "
}
],
"id": "CVE-2023-38330",
"lastModified": "2024-11-21T08:13:20.670",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-02T15:15:10.813",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://bugs.oxid-esales.com/view.php?id=7479"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.oxid-esales.com/de/security/security-bulletins.html#security-bulletin-2023-002"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://bugs.oxid-esales.com/view.php?id=7479"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.oxid-esales.com/de/security/security-bulletins.html#security-bulletin-2023-002"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-17062
Vulnerability from fkie_nvd - Published: 2019-11-05 16:15 - Updated: 2024-11-21 04:31
Severity ?
Summary
An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop Community Edition Version: 4.9.x-4.10.x. By using a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel via session fixation.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:community:*:*:*",
"matchCriteriaId": "3AED6180-BFAF-4EFC-98B1-9296B72295F8",
"versionEndIncluding": "4.10.0",
"versionStartIncluding": "4.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "D48A625C-5A2C-45CD-A77F-C5D007660008",
"versionEndIncluding": "4.10.0",
"versionStartIncluding": "4.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0A7A960A-474B-43D6-A13D-1D5784B04702",
"versionEndIncluding": "5.3.0",
"versionStartIncluding": "5.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:community:*:*:*",
"matchCriteriaId": "6EFD9ED2-2480-4873-BF68-0F7EDF20D794",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "BCCE48FF-84F9-4EE6-97F1-9C03C5DF4637",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "F1C62878-2CF4-49A3-BD28-083CDA8A0320",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:community:*:*:*",
"matchCriteriaId": "CCF05AF4-5011-4C8C-895D-6EE18090A935",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "3BA47977-51EA-46D8-9051-626C6FB7E90A",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "70092AA6-16C1-47EC-A969-90D24D7EFC55",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "6.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop Community Edition Version: 4.9.x-4.10.x. By using a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel via session fixation."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en OXID eShop versiones 6.x anteriores a la versi\u00f3n 6.0.6 y versiones 6.1.x anteriores a la versi\u00f3n 6.1.5, OXID eShop Enterprise Edition Versi\u00f3n 5.2.x hasta la versi\u00f3n 5.3.x, OXID eShop Professional Edition Versi\u00f3n 4.9.x hasta 4.10.x y OXID Versi\u00f3n de eShop Community Edition: versiones 4.9.x hasta la versi\u00f3n 4.10.x. Mediante el uso de una URL especialmente dise\u00f1ada, los usuarios con derechos administrativos pueden otorgar involuntariamente el acceso de usuarios no autorizados al panel de administraci\u00f3n mediante una fijaci\u00f3n de sesi\u00f3n."
}
],
"id": "CVE-2019-17062",
"lastModified": "2024-11-21T04:31:37.777",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-05T16:15:10.507",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://oxidforge.org/en/security-bulletin-2019-002.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://oxidforge.org/en/security-bulletin-2019-002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://oxidforge.org/en/security-bulletin-2019-002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://oxidforge.org/en/security-bulletin-2019-002.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-384"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-13026
Vulnerability from fkie_nvd - Published: 2019-07-30 20:15 - Updated: 2024-11-21 04:24
Severity ?
Summary
OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading to full access by an attacker. This includes all shopping cart options, customer data, and the database. No interaction between the attacker and the victim is necessary.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B6BAB221-541A-4CD6-B9F8-F6E1BEC27509",
"versionEndExcluding": "6.0.5",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A7B9C31D-D975-4D5E-BFE8-4BD5D3FE1D98",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "6.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading to full access by an attacker. This includes all shopping cart options, customer data, and the database. No interaction between the attacker and the victim is necessary."
},
{
"lang": "es",
"value": "eShop de OXID versiones 6.0.x anteriores a 6.0.5 y versiones 6.1.x anteriores a 6.1.4, permite una inyecci\u00f3n SQL por medio de una URL especialmente dise\u00f1ada, lo que conlleva al acceso completo de un atacante. Esto incluye todas las opciones del carrito de compras, datos del cliente y la base de datos. No es necesaria la interacci\u00f3n entre el atacante y la v\u00edctima."
}
],
"id": "CVE-2019-13026",
"lastModified": "2024-11-21T04:24:03.593",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-30T20:15:12.177",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://oxidforge.org/en/security-bulletin-2019-001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://oxidforge.org/en/security-bulletin-2019-001.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-20715
Vulnerability from fkie_nvd - Published: 2019-01-15 16:29 - Updated: 2024-11-21 04:02
Severity ?
Summary
The DB abstraction layer of OXID eSales 4.10.6 is vulnerable to SQL injection via the oxid or synchoxid parameter to the oxConfig::getRequestParameter() method in core/oxconfig.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oxid-esales | eshop | 4.10.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:4.10.6:*:*:*:community:*:*:*",
"matchCriteriaId": "BED6AD50-D871-447E-BE0C-2CEA93A3DBC0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The DB abstraction layer of OXID eSales 4.10.6 is vulnerable to SQL injection via the oxid or synchoxid parameter to the oxConfig::getRequestParameter() method in core/oxconfig.php."
},
{
"lang": "es",
"value": "La capa de abstracci\u00f3n DB de OXID eSales 4.10.6 es vulnerable a una inyecci\u00f3n SQL mediante los par\u00e1metros oxid o synchoxid en el m\u00e9todo oxConfig::getRequestParameter() en core/oxconfig.php."
}
],
"id": "CVE-2018-20715",
"lastModified": "2024-11-21T04:02:01.103",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-01-15T16:29:00.540",
"references": [
{
"source": "cve@mitre.org",
"url": "https://demo.ripstech.com/main/%28scans/38/51//sidebar:types/38/51/0%29"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://demo.ripstech.com/main/%28scans/38/51//sidebar:types/38/51/0%29"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-12579
Vulnerability from fkie_nvd - Published: 2018-08-20 22:29 - Updated: 2024-11-21 03:45
Severity ?
Summary
An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x before 6.1.0; Professional Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0; and Community Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0. An attacker could gain access to the admin panel or a customer account when using the password reset function. To do so, it is required to own a domain name similar to the one the victim uses for their e-mail accounts.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://bugs.oxid-esales.com/view.php?id=6818 | Vendor Advisory | |
| cve@mitre.org | https://oxidforge.org/en/security-bulletin-2018-002.html | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugs.oxid-esales.com/view.php?id=6818 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://oxidforge.org/en/security-bulletin-2018-002.html | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.2 | |
| oxid-esales | eshop | 6.0.2 | |
| oxid-esales | eshop | 6.0.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:community:*:*:*",
"matchCriteriaId": "E892A194-4CD5-4106-A12B-64BC9830ED24",
"versionEndIncluding": "4.10.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "9B413167-2113-41B0-9F50-828DC22BC2DB",
"versionEndIncluding": "4.10.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "9A5F828C-5E0B-4138-9246-A2F0AD9A5939",
"versionEndIncluding": "5.3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:beta1:*:*:community:*:*:*",
"matchCriteriaId": "583838B8-2BEB-4EE6-9CCD-57C2D86E8C6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:beta1:*:*:enterprise:*:*:*",
"matchCriteriaId": "7AA6AD10-1FB9-4558-80E8-5E7CD63A0EE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:beta1:*:*:professional:*:*:*",
"matchCriteriaId": "3A2E8BDF-2715-4273-AF07-AC435836B26B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:beta2:*:*:community:*:*:*",
"matchCriteriaId": "E147722A-2137-49B4-806B-4F3EEE96B168",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:beta2:*:*:enterprise:*:*:*",
"matchCriteriaId": "6C2C235E-94C9-48E0-BE2C-A52A1C03DA0B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:beta2:*:*:professional:*:*:*",
"matchCriteriaId": "B5036786-1995-4DA8-B419-DE133E84AE1E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:beta3:*:*:community:*:*:*",
"matchCriteriaId": "024516A5-1CD2-42BA-BF3E-3F7107BCA0ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:beta3:*:*:enterprise:*:*:*",
"matchCriteriaId": "9F848F7E-ED36-440C-945F-52ADF033AE81",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:beta3:*:*:professional:*:*:*",
"matchCriteriaId": "766628BF-3692-49CC-919C-E1B846534127",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:rc1:*:*:community:*:*:*",
"matchCriteriaId": "B70B24C9-3B67-4577-B91E-DEA55FDBA401",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:rc1:*:*:enterprise:*:*:*",
"matchCriteriaId": "A019B397-0B3D-4BC2-BD89-D704718D9ED0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:rc1:*:*:professional:*:*:*",
"matchCriteriaId": "913BA158-23AE-4129-9533-0091496460B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:rc2:*:*:community:*:*:*",
"matchCriteriaId": "4339F463-2EF8-4072-8E06-51A865AE78C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:rc2:*:*:enterprise:*:*:*",
"matchCriteriaId": "D361898B-F113-4D5E-8ABD-ACCE5DF36FEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:rc2:*:*:professional:*:*:*",
"matchCriteriaId": "91E65058-886F-4E13-97B8-711804F95F5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.2:*:*:*:community:*:*:*",
"matchCriteriaId": "D8BB9F2F-2CA6-447B-BE85-96D2244EE65E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.2:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "051470BA-A68A-45C5-8FBC-90B46901ADB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.2:*:*:*:professional:*:*:*",
"matchCriteriaId": "1A46C391-69E7-41CF-BD7E-FE0704FB5AC4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x before 6.1.0; Professional Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0; and Community Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0. An attacker could gain access to the admin panel or a customer account when using the password reset function. To do so, it is required to own a domain name similar to the one the victim uses for their e-mail accounts."
},
{
"lang": "es",
"value": "Se ha descubierto en OXID eShop Enterprise Edition en versiones anteriores a la 5.3.8, 6.0.x anteriores a la 6.0.3 y 6.1.x anteriores a la 6.1.0; Professional Edition en versiones anteriores a la 4.10.8, 5.x y 6.0.x anteriores a la 6.0.3 y 6.1.x anteriores a la 6.1.0 y Community Edition en versiones anteriores a la 4.10.8, 5.x y 6.0.x anteriores a la 6.0.3 y 6.1.x anteriores a la 6.1.0. Un atacante podr\u00eda obtener acceso al panel de administraci\u00f3n o a una cuenta de un cliente cuando se utiliza la funci\u00f3n de reinicio de contrase\u00f1a. Para ello, se necesita tener un nombre de dominio similar al que utiliza la v\u00edctima para sus cuentas de correo."
}
],
"id": "CVE-2018-12579",
"lastModified": "2024-11-21T03:45:28.343",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-08-20T22:29:00.233",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6818"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://oxidforge.org/en/security-bulletin-2018-002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6818"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://oxidforge.org/en/security-bulletin-2018-002.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-640"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-12415
Vulnerability from fkie_nvd - Published: 2018-02-20 23:29 - Updated: 2024-11-21 03:09
Severity ?
Summary
OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x before 4.10.5 (maintenance), and 4.9.x before 4.9.10 (legacy), Enterprise Edition before 6.0.0 RC2 (development), 5.2.x before 5.2.10 (legacy), and 5.3.x before 5.3.5 (maintenance), and Professional Edition before 6.0.0 RC2 (development), 4.9.x before 4.9.10 (legacy) and 4.10.x before 4.10.5 (maintenance) allow remote attackers to hijack the cart session of a client via Cross-Site Request Forgery (CSRF) if the following pre-conditions are met: (1) the attacker knows which shop is presently used by the client, (2) the attacker knows the exact time when the customer will add product items to the cart, (3) the attacker knows which product items are already in the cart (has to know their article IDs), and (4) the attacker would be able to trick user into clicking a button (submit form) of an e-mail or remote site within the period of visiting the shop and placing an order.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://bugs.oxid-esales.com/view.php?id=6674 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://oxidforge.org/en/security-bulletin-2017-001.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugs.oxid-esales.com/view.php?id=6674 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://oxidforge.org/en/security-bulletin-2017-001.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:community:*:*:*",
"matchCriteriaId": "1FEEDC08-0C1C-4116-8AE5-49CD7D425EC1",
"versionEndExcluding": "4.9.10",
"versionStartIncluding": "4.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "33F13A43-3670-4D55-BD70-5E26ACA45CCC",
"versionEndExcluding": "4.9.10",
"versionStartIncluding": "4.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:community:*:*:*",
"matchCriteriaId": "4AF4EC8F-7117-4DD0-BD1E-2B044D642FC0",
"versionEndExcluding": "4.10.5",
"versionStartIncluding": "4.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "1A69D17A-994A-48EC-9B4F-01257A68BF53",
"versionEndExcluding": "4.10.5",
"versionStartIncluding": "4.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "5CE46B4B-7F2A-4629-BDBC-FD2FCB969E75",
"versionEndExcluding": "5.2.10",
"versionStartIncluding": "5.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "F650109B-FF62-4837-B0EC-1A9B0ECA05A5",
"versionEndExcluding": "5.3.5",
"versionStartIncluding": "5.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:rc1:*:*:community:*:*:*",
"matchCriteriaId": "B70B24C9-3B67-4577-B91E-DEA55FDBA401",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:rc1:*:*:enterprise:*:*:*",
"matchCriteriaId": "A019B397-0B3D-4BC2-BD89-D704718D9ED0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:rc1:*:*:professional:*:*:*",
"matchCriteriaId": "913BA158-23AE-4129-9533-0091496460B9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x before 4.10.5 (maintenance), and 4.9.x before 4.9.10 (legacy), Enterprise Edition before 6.0.0 RC2 (development), 5.2.x before 5.2.10 (legacy), and 5.3.x before 5.3.5 (maintenance), and Professional Edition before 6.0.0 RC2 (development), 4.9.x before 4.9.10 (legacy) and 4.10.x before 4.10.5 (maintenance) allow remote attackers to hijack the cart session of a client via Cross-Site Request Forgery (CSRF) if the following pre-conditions are met: (1) the attacker knows which shop is presently used by the client, (2) the attacker knows the exact time when the customer will add product items to the cart, (3) the attacker knows which product items are already in the cart (has to know their article IDs), and (4) the attacker would be able to trick user into clicking a button (submit form) of an e-mail or remote site within the period of visiting the shop and placing an order."
},
{
"lang": "es",
"value": "OXID eShop Community Edition en versiones anteriores a la 6.0.0 RC2 (development), 4.10.x anteriores a la 4.10.5 (maintenance) y versiones 4.9.x anteriores a la 4.9.10 (legacy); Enterprise Edition en versiones anteriores a la 6.0.0 RC2 (development), versiones 5.2.x anteriores a la 5.2.10 (legacy) y versiones 5.3.x anteriores a la 5.3.5 (maintenance) y Professional Edition en versiones anteriores a la 6.0.0 RC2 (development), versiones 4.9.x anteriores a la 4.9.10 (legacy) y 4.10.x anteriores a la 4.10.5 (maintenance) permiten que atacantes remotos secuestren la sesi\u00f3n de la cesta de un cliente mediante Cross-Site Request Forgery (CSRF) si se cumplen los siguientes requisitos: (1) el atacante conoce qu\u00e9 tienda est\u00e1 siendo empleada actualmente por el cliente; (2) el atacante sabe en qu\u00e9 momento exacto a\u00f1adir\u00e1 el cliente productos en la cesta; (3) el atacante sabe qu\u00e9 productos est\u00e1n ya en la cesta (debe conocer los ID de los art\u00edculos) y (4) el atacante podr\u00eda enga\u00f1ar a un usuario para que haga clic en un bot\u00f3n (formulario de env\u00edo) de un email o sitio remoto en el per\u00edodo entre que se visita la tienda y se realiza un pedido."
}
],
"id": "CVE-2017-12415",
"lastModified": "2024-11-21T03:09:26.040",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-20T23:29:00.247",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6674"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://oxidforge.org/en/security-bulletin-2017-001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6674"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://oxidforge.org/en/security-bulletin-2017-001.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-14993
Vulnerability from fkie_nvd - Published: 2018-02-20 23:29 - Updated: 2024-11-21 03:13
Severity ?
Summary
OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition before 6.0.0 RC3 (development), 4.9.x before 4.9.11 (legacy) and 4.10.x before 4.10.6 (maintenance) allow remote attackers to crawl specially crafted URLs (aka "forced browsing") in order to overflow the database of the shop and consequently make it stop working. Prerequisite: the shop allows rendering empty categories to the storefront via an admin option.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://bugs.oxid-esales.com/view.php?id=6678 | Vendor Advisory | |
| cve@mitre.org | https://oxidforge.org/en/security-bulletin-2017-002.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugs.oxid-esales.com/view.php?id=6678 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://oxidforge.org/en/security-bulletin-2017-002.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:community:*:*:*",
"matchCriteriaId": "E272C8A6-A5B7-4C04-8F14-B374857A3263",
"versionEndExcluding": "4.9.11",
"versionStartIncluding": "4.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "E5D4F566-3F07-4D92-8C3E-FC4DDF5BF976",
"versionEndExcluding": "4.9.11",
"versionStartIncluding": "4.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:community:*:*:*",
"matchCriteriaId": "DF8C0A78-24C1-4751-9B5B-8D4980351DD2",
"versionEndExcluding": "4.10.6",
"versionStartIncluding": "4.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "710F4268-7682-429B-ADB3-99008B38FD49",
"versionEndExcluding": "4.10.6",
"versionStartIncluding": "4.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "CF6863A0-FED8-4092-89AA-0AE5F169F80A",
"versionEndExcluding": "5.2.11",
"versionStartIncluding": "5.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "240BEC7B-F5EC-4761-9133-19EB4AC8238A",
"versionEndExcluding": "5.3.6",
"versionStartIncluding": "5.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:rc1:*:*:community:*:*:*",
"matchCriteriaId": "B70B24C9-3B67-4577-B91E-DEA55FDBA401",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:rc1:*:*:enterprise:*:*:*",
"matchCriteriaId": "A019B397-0B3D-4BC2-BD89-D704718D9ED0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:rc1:*:*:professional:*:*:*",
"matchCriteriaId": "913BA158-23AE-4129-9533-0091496460B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:rc2:*:*:community:*:*:*",
"matchCriteriaId": "4339F463-2EF8-4072-8E06-51A865AE78C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:rc2:*:*:enterprise:*:*:*",
"matchCriteriaId": "D361898B-F113-4D5E-8ABD-ACCE5DF36FEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:rc2:*:*:professional:*:*:*",
"matchCriteriaId": "91E65058-886F-4E13-97B8-711804F95F5B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition before 6.0.0 RC3 (development), 4.9.x before 4.9.11 (legacy) and 4.10.x before 4.10.6 (maintenance) allow remote attackers to crawl specially crafted URLs (aka \"forced browsing\") in order to overflow the database of the shop and consequently make it stop working. Prerequisite: the shop allows rendering empty categories to the storefront via an admin option."
},
{
"lang": "es",
"value": "OXID eShop Community Edition en versiones anteriores a la 6.0.0 RC3 (development), 4.10.x anteriores a la 4.10.6 (maintenance) y versiones 4.9.x anteriores a la 04/09/2011 (legacy); Enterprise Edition en versiones anteriores a la 6.0.0 RC3 (development), versiones 5.2.x anteriores a la 05/02/2011 (legacy) y versiones 5.3.x anteriores a la 5.3.6 (maintenance) y Professional Edition en versiones anteriores a la 6.0.0 RC3 (development), versiones 4.9.x anteriores a la 04/09/2011 (legacy) y 4.10.x anteriores a la 4.10.6 (maintenance) permiten que atacantes remotos rastreen URL especialmente manipuladas (\"navegaci\u00f3n forzada\") para desbordar la base de datos de la tienda y hacer que deje de funcionar. Prerrequisito: la tienda permite mostrar las categor\u00edas vac\u00edas en la vista principal mediante una opci\u00f3n de administrador."
}
],
"id": "CVE-2017-14993",
"lastModified": "2024-11-21T03:13:54.867",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-20T23:29:00.307",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6678"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://oxidforge.org/en/security-bulletin-2017-002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6678"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://oxidforge.org/en/security-bulletin-2017-002.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-425"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-5763
Vulnerability from fkie_nvd - Published: 2018-02-19 21:29 - Updated: 2024-11-21 04:09
Severity ?
Summary
An issue was discovered in OXID eShop Enterprise Edition before 5.3.7 and 6.x before 6.0.1. By entering specially crafted URLs, an attacker is able to bring the shop server to a standstill and hence, it stops working. This is only valid if OXID High Performance Option is activated and Varnish is used.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://oxidforge.org/en/security-bulletin-2018-001.html | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://oxidforge.org/en/security-bulletin-2018-001.html | Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oxid-esales | eshop | * | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 | |
| oxid-esales | eshop | 6.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "523FEBA1-AF39-4828-9C29-72A036A035A6",
"versionEndExcluding": "5.3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "05A19820-1BB2-411B-89FD-7670AB7C280D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:rc1:*:*:enterprise:*:*:*",
"matchCriteriaId": "A019B397-0B3D-4BC2-BD89-D704718D9ED0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:rc2:*:*:enterprise:*:*:*",
"matchCriteriaId": "D361898B-F113-4D5E-8ABD-ACCE5DF36FEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:6.0.0:rc3:*:*:enterprise:*:*:*",
"matchCriteriaId": "37DCBF08-6CF5-4F6F-9547-6651F3D0C1C6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in OXID eShop Enterprise Edition before 5.3.7 and 6.x before 6.0.1. By entering specially crafted URLs, an attacker is able to bring the shop server to a standstill and hence, it stops working. This is only valid if OXID High Performance Option is activated and Varnish is used."
},
{
"lang": "es",
"value": "Se ha descubierto un problema en OXID eShop Enterprise Edition en versiones anteriores a la 5.3.7 y en versiones 6.x anteriores a la 6.0.1. Al introducir URL especialmente manipuladas, un atacante puede hacer que el servidor de la tienda se estanque y, por lo tanto, deje de funcionar. Esto solo es v\u00e1lido si OXID High Performance Option est\u00e1 activado y se emplea Varnish."
}
],
"id": "CVE-2018-5763",
"lastModified": "2024-11-21T04:09:20.970",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-19T21:29:00.333",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://oxidforge.org/en/security-bulletin-2018-001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://oxidforge.org/en/security-bulletin-2018-001.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-6926
Vulnerability from fkie_nvd - Published: 2018-01-19 15:29 - Updated: 2024-11-21 02:35
Severity ?
Summary
The OpenID Single Sign-On authentication functionality in OXID eShop before 4.5.0 allows remote attackers to impersonate users via the email address in a crafted authentication token.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://bugs.oxid-esales.com/view.php?id=6224 | Issue Tracking, Vendor Advisory | |
| cve@mitre.org | https://oxidforge.org/en/oxid-security-bulletin-2015-001.html | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugs.oxid-esales.com/view.php?id=6224 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://oxidforge.org/en/oxid-security-bulletin-2015-001.html | Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:community:*:*:*",
"matchCriteriaId": "BCAAAD74-49AE-414F-B961-1F81D9BD52D6",
"versionEndIncluding": "4.4.8",
"versionStartIncluding": "4.0.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1C2B540B-E95C-4F07-BD13-63F934C6112B",
"versionEndIncluding": "4.4.8",
"versionStartIncluding": "4.0.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "35D8D29B-0233-4002-B372-A8DBA41C9E4C",
"versionEndIncluding": "4.4.8",
"versionStartIncluding": "4.0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The OpenID Single Sign-On authentication functionality in OXID eShop before 4.5.0 allows remote attackers to impersonate users via the email address in a crafted authentication token."
},
{
"lang": "es",
"value": "La funcionalidad de autenticaci\u00f3n OpenID Single Sign-On en OXID eShop en versiones anteriores a la 4.5.0 permite que atacantes remotos suplanten usuarios mediante la direcci\u00f3n de email en un token de autenticaci\u00f3n manipulado."
}
],
"id": "CVE-2015-6926",
"lastModified": "2024-11-21T02:35:53.393",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-01-19T15:29:00.280",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6224"
},
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://oxidforge.org/en/oxid-security-bulletin-2015-001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6224"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://oxidforge.org/en/oxid-security-bulletin-2015-001.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-4919
Vulnerability from fkie_nvd - Published: 2018-01-19 15:29 - Updated: 2024-11-21 02:11
Severity ?
Summary
OXID eShop Professional Edition before 4.7.13 and 4.8.x before 4.8.7, Enterprise Edition before 5.0.13 and 5.1.x before 5.1.7, and Community Edition before 4.7.13 and 4.8.x before 4.8.7 allow remote attackers to assign users to arbitrary dynamical user groups.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://bugs.oxid-esales.com/view.php?id=5814 | Issue Tracking, Vendor Advisory | |
| cve@mitre.org | https://oxidforge.org/en/security-bulletin-2014-003.html | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugs.oxid-esales.com/view.php?id=5814 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://oxidforge.org/en/security-bulletin-2014-003.html | Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * | |
| oxid-esales | eshop | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "AD794519-239E-4A85-A957-CBB0DF6FD8C0",
"versionEndExcluding": "4.7.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "03ABA365-43FB-4512-9880-4C942D75DA3D",
"versionEndExcluding": "4.8.7",
"versionStartIncluding": "4.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "F806583A-D025-4CE9-B85B-A2A6A8A94E04",
"versionEndExcluding": "5.0.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "C4D13B14-0841-43FC-BC95-CF2CB0805E17",
"versionEndExcluding": "5.1.7",
"versionStartIncluding": "5.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:community:*:*:*",
"matchCriteriaId": "AE598538-7146-41D3-A5D6-6214574B80D0",
"versionEndExcluding": "4.7.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:community:*:*:*",
"matchCriteriaId": "808FE10F-60B9-471A-8B13-EE36B72DBF52",
"versionEndExcluding": "4.8.7",
"versionStartIncluding": "4.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OXID eShop Professional Edition before 4.7.13 and 4.8.x before 4.8.7, Enterprise Edition before 5.0.13 and 5.1.x before 5.1.7, and Community Edition before 4.7.13 and 4.8.x before 4.8.7 allow remote attackers to assign users to arbitrary dynamical user groups."
},
{
"lang": "es",
"value": "OXID eShop Professional Edition en versiones anteriores a la 4.7.13 y versiones 4.8.x anteriores a la 4.8.7, Enterprise Edition en versiones anteriores a la 5.0.13 y las versiones 5.1.x anteriores a la 5.1.7 y Community Edition en versiones anteriores a la 4.7.13 y versiones 4.8.x anteriores a la 4.8.7 permiten que atacantes remotos asignen usuarios a grupos de usuarios din\u00e1micos arbitrarios."
}
],
"id": "CVE-2014-4919",
"lastModified": "2024-11-21T02:11:07.047",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-01-19T15:29:00.217",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugs.oxid-esales.com/view.php?id=5814"
},
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://oxidforge.org/en/security-bulletin-2014-003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugs.oxid-esales.com/view.php?id=5814"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://oxidforge.org/en/security-bulletin-2014-003.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-56526 (GCVE-0-2024-56526)
Vulnerability from cvelistv5 – Published: 2025-05-13 00:00 – Updated: 2025-05-14 14:02
VLAI?
Summary
An issue was discovered in OXID eShop before 7. CMS pages in combination with Smarty may display user information if a CMS page contains a Smarty syntax error.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56526",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T14:01:25.380372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T14:02:05.974Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in OXID eShop before 7. CMS pages in combination with Smarty may display user information if a CMS page contains a Smarty syntax error."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T15:28:24.040Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://bugs.oxid-esales.com/view.php?id=7743"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-56526",
"datePublished": "2025-05-13T00:00:00.000Z",
"dateReserved": "2024-12-27T00:00:00.000Z",
"dateUpdated": "2025-05-14T14:02:05.974Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38330 (GCVE-0-2023-38330)
Vulnerability from cvelistv5 – Published: 2023-08-02 00:00 – Updated: 2024-10-18 14:47
VLAI?
Summary
OXID eShop Enterprise Edition 6.5.0 – 6.5.2 before 6.5.3 allows uploading files with modified headers in the administration area. An attacker can upload a file with a modified header to create a HTTP Response Splitting attack.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:39:12.315Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugs.oxid-esales.com/view.php?id=7479"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.oxid-esales.com/de/security/security-bulletins.html#security-bulletin-2023-002"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38330",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-18T14:47:18.412635Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-18T14:47:48.377Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OXID eShop Enterprise Edition 6.5.0 \u2013 6.5.2 before 6.5.3 allows uploading files with modified headers in the administration area. An attacker can upload a file with a modified header to create a HTTP Response Splitting attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-02T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://bugs.oxid-esales.com/view.php?id=7479"
},
{
"url": "https://docs.oxid-esales.com/de/security/security-bulletins.html#security-bulletin-2023-002"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-38330",
"datePublished": "2023-08-02T00:00:00",
"dateReserved": "2023-07-14T00:00:00",
"dateUpdated": "2024-10-18T14:47:48.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-17062 (GCVE-0-2019-17062)
Vulnerability from cvelistv5 – Published: 2019-11-05 15:24 – Updated: 2024-08-05 01:33
VLAI?
Summary
An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop Community Edition Version: 4.9.x-4.10.x. By using a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel via session fixation.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:15.792Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://oxidforge.org/en/security-bulletin-2019-002.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://oxidforge.org/en/security-bulletin-2019-002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop Community Edition Version: 4.9.x-4.10.x. By using a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel via session fixation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T15:24:57",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://oxidforge.org/en/security-bulletin-2019-002.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://oxidforge.org/en/security-bulletin-2019-002.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17062",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop Community Edition Version: 4.9.x-4.10.x. By using a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel via session fixation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://oxidforge.org/en/security-bulletin-2019-002.html",
"refsource": "MISC",
"url": "https://oxidforge.org/en/security-bulletin-2019-002.html"
},
{
"name": "https://oxidforge.org/en/security-bulletin-2019-002.html",
"refsource": "CONFIRM",
"url": "https://oxidforge.org/en/security-bulletin-2019-002.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17062",
"datePublished": "2019-11-05T15:24:34",
"dateReserved": "2019-10-01T00:00:00",
"dateUpdated": "2024-08-05T01:33:15.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-13026 (GCVE-0-2019-13026)
Vulnerability from cvelistv5 – Published: 2019-07-30 19:39 – Updated: 2024-08-04 23:41
VLAI?
Summary
OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading to full access by an attacker. This includes all shopping cart options, customer data, and the database. No interaction between the attacker and the victim is necessary.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:41:09.630Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://oxidforge.org/en/security-bulletin-2019-001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading to full access by an attacker. This includes all shopping cart options, customer data, and the database. No interaction between the attacker and the victim is necessary."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-30T19:39:25",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://oxidforge.org/en/security-bulletin-2019-001.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13026",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading to full access by an attacker. This includes all shopping cart options, customer data, and the database. No interaction between the attacker and the victim is necessary."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://oxidforge.org/en/security-bulletin-2019-001.html",
"refsource": "CONFIRM",
"url": "https://oxidforge.org/en/security-bulletin-2019-001.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13026",
"datePublished": "2019-07-30T19:39:25",
"dateReserved": "2019-06-28T00:00:00",
"dateUpdated": "2024-08-04T23:41:09.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-20715 (GCVE-0-2018-20715)
Vulnerability from cvelistv5 – Published: 2019-01-15 16:00 – Updated: 2024-08-05 12:12
VLAI?
Summary
The DB abstraction layer of OXID eSales 4.10.6 is vulnerable to SQL injection via the oxid or synchoxid parameter to the oxConfig::getRequestParameter() method in core/oxconfig.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:12:28.338Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://demo.ripstech.com/main/%28scans/38/51//sidebar:types/38/51/0%29"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-01-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The DB abstraction layer of OXID eSales 4.10.6 is vulnerable to SQL injection via the oxid or synchoxid parameter to the oxConfig::getRequestParameter() method in core/oxconfig.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-15T16:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://demo.ripstech.com/main/%28scans/38/51//sidebar:types/38/51/0%29"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-20715",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The DB abstraction layer of OXID eSales 4.10.6 is vulnerable to SQL injection via the oxid or synchoxid parameter to the oxConfig::getRequestParameter() method in core/oxconfig.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://demo.ripstech.com/main/(scans/38/51//sidebar:types/38/51/0)",
"refsource": "MISC",
"url": "https://demo.ripstech.com/main/(scans/38/51//sidebar:types/38/51/0)"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-20715",
"datePublished": "2019-01-15T16:00:00",
"dateReserved": "2019-01-15T00:00:00",
"dateUpdated": "2024-08-05T12:12:28.338Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-12579 (GCVE-0-2018-12579)
Vulnerability from cvelistv5 – Published: 2018-08-20 22:00 – Updated: 2024-08-05 08:38
VLAI?
Summary
An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x before 6.1.0; Professional Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0; and Community Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0. An attacker could gain access to the admin panel or a customer account when using the password reset function. To do so, it is required to own a domain name similar to the one the victim uses for their e-mail accounts.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:38:06.330Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6818"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://oxidforge.org/en/security-bulletin-2018-002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-04-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x before 6.1.0; Professional Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0; and Community Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0. An attacker could gain access to the admin panel or a customer account when using the password reset function. To do so, it is required to own a domain name similar to the one the victim uses for their e-mail accounts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-08-20T21:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6818"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://oxidforge.org/en/security-bulletin-2018-002.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-12579",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x before 6.1.0; Professional Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0; and Community Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0. An attacker could gain access to the admin panel or a customer account when using the password reset function. To do so, it is required to own a domain name similar to the one the victim uses for their e-mail accounts."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.oxid-esales.com/view.php?id=6818",
"refsource": "CONFIRM",
"url": "https://bugs.oxid-esales.com/view.php?id=6818"
},
{
"name": "https://oxidforge.org/en/security-bulletin-2018-002.html",
"refsource": "CONFIRM",
"url": "https://oxidforge.org/en/security-bulletin-2018-002.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-12579",
"datePublished": "2018-08-20T22:00:00",
"dateReserved": "2018-06-19T00:00:00",
"dateUpdated": "2024-08-05T08:38:06.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-12415 (GCVE-0-2017-12415)
Vulnerability from cvelistv5 – Published: 2018-02-20 23:00 – Updated: 2024-08-05 18:36
VLAI?
Summary
OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x before 4.10.5 (maintenance), and 4.9.x before 4.9.10 (legacy), Enterprise Edition before 6.0.0 RC2 (development), 5.2.x before 5.2.10 (legacy), and 5.3.x before 5.3.5 (maintenance), and Professional Edition before 6.0.0 RC2 (development), 4.9.x before 4.9.10 (legacy) and 4.10.x before 4.10.5 (maintenance) allow remote attackers to hijack the cart session of a client via Cross-Site Request Forgery (CSRF) if the following pre-conditions are met: (1) the attacker knows which shop is presently used by the client, (2) the attacker knows the exact time when the customer will add product items to the cart, (3) the attacker knows which product items are already in the cart (has to know their article IDs), and (4) the attacker would be able to trick user into clicking a button (submit form) of an e-mail or remote site within the period of visiting the shop and placing an order.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:36:56.184Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6674"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://oxidforge.org/en/security-bulletin-2017-001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-08-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x before 4.10.5 (maintenance), and 4.9.x before 4.9.10 (legacy), Enterprise Edition before 6.0.0 RC2 (development), 5.2.x before 5.2.10 (legacy), and 5.3.x before 5.3.5 (maintenance), and Professional Edition before 6.0.0 RC2 (development), 4.9.x before 4.9.10 (legacy) and 4.10.x before 4.10.5 (maintenance) allow remote attackers to hijack the cart session of a client via Cross-Site Request Forgery (CSRF) if the following pre-conditions are met: (1) the attacker knows which shop is presently used by the client, (2) the attacker knows the exact time when the customer will add product items to the cart, (3) the attacker knows which product items are already in the cart (has to know their article IDs), and (4) the attacker would be able to trick user into clicking a button (submit form) of an e-mail or remote site within the period of visiting the shop and placing an order."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-20T22:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6674"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://oxidforge.org/en/security-bulletin-2017-001.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-12415",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x before 4.10.5 (maintenance), and 4.9.x before 4.9.10 (legacy), Enterprise Edition before 6.0.0 RC2 (development), 5.2.x before 5.2.10 (legacy), and 5.3.x before 5.3.5 (maintenance), and Professional Edition before 6.0.0 RC2 (development), 4.9.x before 4.9.10 (legacy) and 4.10.x before 4.10.5 (maintenance) allow remote attackers to hijack the cart session of a client via Cross-Site Request Forgery (CSRF) if the following pre-conditions are met: (1) the attacker knows which shop is presently used by the client, (2) the attacker knows the exact time when the customer will add product items to the cart, (3) the attacker knows which product items are already in the cart (has to know their article IDs), and (4) the attacker would be able to trick user into clicking a button (submit form) of an e-mail or remote site within the period of visiting the shop and placing an order."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.oxid-esales.com/view.php?id=6674",
"refsource": "CONFIRM",
"url": "https://bugs.oxid-esales.com/view.php?id=6674"
},
{
"name": "https://oxidforge.org/en/security-bulletin-2017-001.html",
"refsource": "CONFIRM",
"url": "https://oxidforge.org/en/security-bulletin-2017-001.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-12415",
"datePublished": "2018-02-20T23:00:00",
"dateReserved": "2017-08-03T00:00:00",
"dateUpdated": "2024-08-05T18:36:56.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-14993 (GCVE-0-2017-14993)
Vulnerability from cvelistv5 – Published: 2018-02-20 23:00 – Updated: 2024-08-05 19:42
VLAI?
Summary
OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition before 6.0.0 RC3 (development), 4.9.x before 4.9.11 (legacy) and 4.10.x before 4.10.6 (maintenance) allow remote attackers to crawl specially crafted URLs (aka "forced browsing") in order to overflow the database of the shop and consequently make it stop working. Prerequisite: the shop allows rendering empty categories to the storefront via an admin option.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:42:22.366Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6678"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://oxidforge.org/en/security-bulletin-2017-002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-11-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition before 6.0.0 RC3 (development), 4.9.x before 4.9.11 (legacy) and 4.10.x before 4.10.6 (maintenance) allow remote attackers to crawl specially crafted URLs (aka \"forced browsing\") in order to overflow the database of the shop and consequently make it stop working. Prerequisite: the shop allows rendering empty categories to the storefront via an admin option."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-20T22:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6678"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://oxidforge.org/en/security-bulletin-2017-002.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-14993",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition before 6.0.0 RC3 (development), 4.9.x before 4.9.11 (legacy) and 4.10.x before 4.10.6 (maintenance) allow remote attackers to crawl specially crafted URLs (aka \"forced browsing\") in order to overflow the database of the shop and consequently make it stop working. Prerequisite: the shop allows rendering empty categories to the storefront via an admin option."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.oxid-esales.com/view.php?id=6678",
"refsource": "CONFIRM",
"url": "https://bugs.oxid-esales.com/view.php?id=6678"
},
{
"name": "https://oxidforge.org/en/security-bulletin-2017-002.html",
"refsource": "CONFIRM",
"url": "https://oxidforge.org/en/security-bulletin-2017-002.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-14993",
"datePublished": "2018-02-20T23:00:00",
"dateReserved": "2017-10-03T00:00:00",
"dateUpdated": "2024-08-05T19:42:22.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-5763 (GCVE-0-2018-5763)
Vulnerability from cvelistv5 – Published: 2018-02-19 21:00 – Updated: 2024-08-05 05:40
VLAI?
Summary
An issue was discovered in OXID eShop Enterprise Edition before 5.3.7 and 6.x before 6.0.1. By entering specially crafted URLs, an attacker is able to bring the shop server to a standstill and hence, it stops working. This is only valid if OXID High Performance Option is activated and Varnish is used.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:40:51.173Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://oxidforge.org/en/security-bulletin-2018-001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-01-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in OXID eShop Enterprise Edition before 5.3.7 and 6.x before 6.0.1. By entering specially crafted URLs, an attacker is able to bring the shop server to a standstill and hence, it stops working. This is only valid if OXID High Performance Option is activated and Varnish is used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-19T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://oxidforge.org/en/security-bulletin-2018-001.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-5763",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in OXID eShop Enterprise Edition before 5.3.7 and 6.x before 6.0.1. By entering specially crafted URLs, an attacker is able to bring the shop server to a standstill and hence, it stops working. This is only valid if OXID High Performance Option is activated and Varnish is used."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://oxidforge.org/en/security-bulletin-2018-001.html",
"refsource": "CONFIRM",
"url": "https://oxidforge.org/en/security-bulletin-2018-001.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-5763",
"datePublished": "2018-02-19T21:00:00",
"dateReserved": "2018-01-17T00:00:00",
"dateUpdated": "2024-08-05T05:40:51.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-6926 (GCVE-0-2015-6926)
Vulnerability from cvelistv5 – Published: 2018-01-19 15:00 – Updated: 2024-08-06 07:36
VLAI?
Summary
The OpenID Single Sign-On authentication functionality in OXID eShop before 4.5.0 allows remote attackers to impersonate users via the email address in a crafted authentication token.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:36:34.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://oxidforge.org/en/oxid-security-bulletin-2015-001.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6224"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The OpenID Single Sign-On authentication functionality in OXID eShop before 4.5.0 allows remote attackers to impersonate users via the email address in a crafted authentication token."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-19T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://oxidforge.org/en/oxid-security-bulletin-2015-001.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6224"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-6926",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The OpenID Single Sign-On authentication functionality in OXID eShop before 4.5.0 allows remote attackers to impersonate users via the email address in a crafted authentication token."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://oxidforge.org/en/oxid-security-bulletin-2015-001.html",
"refsource": "CONFIRM",
"url": "https://oxidforge.org/en/oxid-security-bulletin-2015-001.html"
},
{
"name": "https://bugs.oxid-esales.com/view.php?id=6224",
"refsource": "CONFIRM",
"url": "https://bugs.oxid-esales.com/view.php?id=6224"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-6926",
"datePublished": "2018-01-19T15:00:00",
"dateReserved": "2015-09-14T00:00:00",
"dateUpdated": "2024-08-06T07:36:34.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56526 (GCVE-0-2024-56526)
Vulnerability from nvd – Published: 2025-05-13 00:00 – Updated: 2025-05-14 14:02
VLAI?
Summary
An issue was discovered in OXID eShop before 7. CMS pages in combination with Smarty may display user information if a CMS page contains a Smarty syntax error.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56526",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T14:01:25.380372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T14:02:05.974Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in OXID eShop before 7. CMS pages in combination with Smarty may display user information if a CMS page contains a Smarty syntax error."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T15:28:24.040Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://bugs.oxid-esales.com/view.php?id=7743"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-56526",
"datePublished": "2025-05-13T00:00:00.000Z",
"dateReserved": "2024-12-27T00:00:00.000Z",
"dateUpdated": "2025-05-14T14:02:05.974Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38330 (GCVE-0-2023-38330)
Vulnerability from nvd – Published: 2023-08-02 00:00 – Updated: 2024-10-18 14:47
VLAI?
Summary
OXID eShop Enterprise Edition 6.5.0 – 6.5.2 before 6.5.3 allows uploading files with modified headers in the administration area. An attacker can upload a file with a modified header to create a HTTP Response Splitting attack.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:39:12.315Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugs.oxid-esales.com/view.php?id=7479"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.oxid-esales.com/de/security/security-bulletins.html#security-bulletin-2023-002"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38330",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-18T14:47:18.412635Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-18T14:47:48.377Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OXID eShop Enterprise Edition 6.5.0 \u2013 6.5.2 before 6.5.3 allows uploading files with modified headers in the administration area. An attacker can upload a file with a modified header to create a HTTP Response Splitting attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-02T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://bugs.oxid-esales.com/view.php?id=7479"
},
{
"url": "https://docs.oxid-esales.com/de/security/security-bulletins.html#security-bulletin-2023-002"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-38330",
"datePublished": "2023-08-02T00:00:00",
"dateReserved": "2023-07-14T00:00:00",
"dateUpdated": "2024-10-18T14:47:48.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-17062 (GCVE-0-2019-17062)
Vulnerability from nvd – Published: 2019-11-05 15:24 – Updated: 2024-08-05 01:33
VLAI?
Summary
An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop Community Edition Version: 4.9.x-4.10.x. By using a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel via session fixation.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:15.792Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://oxidforge.org/en/security-bulletin-2019-002.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://oxidforge.org/en/security-bulletin-2019-002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop Community Edition Version: 4.9.x-4.10.x. By using a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel via session fixation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T15:24:57",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://oxidforge.org/en/security-bulletin-2019-002.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://oxidforge.org/en/security-bulletin-2019-002.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17062",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop Community Edition Version: 4.9.x-4.10.x. By using a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel via session fixation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://oxidforge.org/en/security-bulletin-2019-002.html",
"refsource": "MISC",
"url": "https://oxidforge.org/en/security-bulletin-2019-002.html"
},
{
"name": "https://oxidforge.org/en/security-bulletin-2019-002.html",
"refsource": "CONFIRM",
"url": "https://oxidforge.org/en/security-bulletin-2019-002.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17062",
"datePublished": "2019-11-05T15:24:34",
"dateReserved": "2019-10-01T00:00:00",
"dateUpdated": "2024-08-05T01:33:15.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-13026 (GCVE-0-2019-13026)
Vulnerability from nvd – Published: 2019-07-30 19:39 – Updated: 2024-08-04 23:41
VLAI?
Summary
OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading to full access by an attacker. This includes all shopping cart options, customer data, and the database. No interaction between the attacker and the victim is necessary.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:41:09.630Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://oxidforge.org/en/security-bulletin-2019-001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading to full access by an attacker. This includes all shopping cart options, customer data, and the database. No interaction between the attacker and the victim is necessary."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-30T19:39:25",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://oxidforge.org/en/security-bulletin-2019-001.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13026",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading to full access by an attacker. This includes all shopping cart options, customer data, and the database. No interaction between the attacker and the victim is necessary."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://oxidforge.org/en/security-bulletin-2019-001.html",
"refsource": "CONFIRM",
"url": "https://oxidforge.org/en/security-bulletin-2019-001.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13026",
"datePublished": "2019-07-30T19:39:25",
"dateReserved": "2019-06-28T00:00:00",
"dateUpdated": "2024-08-04T23:41:09.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-20715 (GCVE-0-2018-20715)
Vulnerability from nvd – Published: 2019-01-15 16:00 – Updated: 2024-08-05 12:12
VLAI?
Summary
The DB abstraction layer of OXID eSales 4.10.6 is vulnerable to SQL injection via the oxid or synchoxid parameter to the oxConfig::getRequestParameter() method in core/oxconfig.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:12:28.338Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://demo.ripstech.com/main/%28scans/38/51//sidebar:types/38/51/0%29"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-01-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The DB abstraction layer of OXID eSales 4.10.6 is vulnerable to SQL injection via the oxid or synchoxid parameter to the oxConfig::getRequestParameter() method in core/oxconfig.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-15T16:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://demo.ripstech.com/main/%28scans/38/51//sidebar:types/38/51/0%29"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-20715",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The DB abstraction layer of OXID eSales 4.10.6 is vulnerable to SQL injection via the oxid or synchoxid parameter to the oxConfig::getRequestParameter() method in core/oxconfig.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://demo.ripstech.com/main/(scans/38/51//sidebar:types/38/51/0)",
"refsource": "MISC",
"url": "https://demo.ripstech.com/main/(scans/38/51//sidebar:types/38/51/0)"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-20715",
"datePublished": "2019-01-15T16:00:00",
"dateReserved": "2019-01-15T00:00:00",
"dateUpdated": "2024-08-05T12:12:28.338Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-12579 (GCVE-0-2018-12579)
Vulnerability from nvd – Published: 2018-08-20 22:00 – Updated: 2024-08-05 08:38
VLAI?
Summary
An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x before 6.1.0; Professional Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0; and Community Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0. An attacker could gain access to the admin panel or a customer account when using the password reset function. To do so, it is required to own a domain name similar to the one the victim uses for their e-mail accounts.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:38:06.330Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6818"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://oxidforge.org/en/security-bulletin-2018-002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-04-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x before 6.1.0; Professional Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0; and Community Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0. An attacker could gain access to the admin panel or a customer account when using the password reset function. To do so, it is required to own a domain name similar to the one the victim uses for their e-mail accounts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-08-20T21:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6818"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://oxidforge.org/en/security-bulletin-2018-002.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-12579",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x before 6.1.0; Professional Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0; and Community Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0. An attacker could gain access to the admin panel or a customer account when using the password reset function. To do so, it is required to own a domain name similar to the one the victim uses for their e-mail accounts."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.oxid-esales.com/view.php?id=6818",
"refsource": "CONFIRM",
"url": "https://bugs.oxid-esales.com/view.php?id=6818"
},
{
"name": "https://oxidforge.org/en/security-bulletin-2018-002.html",
"refsource": "CONFIRM",
"url": "https://oxidforge.org/en/security-bulletin-2018-002.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-12579",
"datePublished": "2018-08-20T22:00:00",
"dateReserved": "2018-06-19T00:00:00",
"dateUpdated": "2024-08-05T08:38:06.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-12415 (GCVE-0-2017-12415)
Vulnerability from nvd – Published: 2018-02-20 23:00 – Updated: 2024-08-05 18:36
VLAI?
Summary
OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x before 4.10.5 (maintenance), and 4.9.x before 4.9.10 (legacy), Enterprise Edition before 6.0.0 RC2 (development), 5.2.x before 5.2.10 (legacy), and 5.3.x before 5.3.5 (maintenance), and Professional Edition before 6.0.0 RC2 (development), 4.9.x before 4.9.10 (legacy) and 4.10.x before 4.10.5 (maintenance) allow remote attackers to hijack the cart session of a client via Cross-Site Request Forgery (CSRF) if the following pre-conditions are met: (1) the attacker knows which shop is presently used by the client, (2) the attacker knows the exact time when the customer will add product items to the cart, (3) the attacker knows which product items are already in the cart (has to know their article IDs), and (4) the attacker would be able to trick user into clicking a button (submit form) of an e-mail or remote site within the period of visiting the shop and placing an order.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:36:56.184Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6674"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://oxidforge.org/en/security-bulletin-2017-001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-08-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x before 4.10.5 (maintenance), and 4.9.x before 4.9.10 (legacy), Enterprise Edition before 6.0.0 RC2 (development), 5.2.x before 5.2.10 (legacy), and 5.3.x before 5.3.5 (maintenance), and Professional Edition before 6.0.0 RC2 (development), 4.9.x before 4.9.10 (legacy) and 4.10.x before 4.10.5 (maintenance) allow remote attackers to hijack the cart session of a client via Cross-Site Request Forgery (CSRF) if the following pre-conditions are met: (1) the attacker knows which shop is presently used by the client, (2) the attacker knows the exact time when the customer will add product items to the cart, (3) the attacker knows which product items are already in the cart (has to know their article IDs), and (4) the attacker would be able to trick user into clicking a button (submit form) of an e-mail or remote site within the period of visiting the shop and placing an order."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-20T22:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6674"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://oxidforge.org/en/security-bulletin-2017-001.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-12415",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x before 4.10.5 (maintenance), and 4.9.x before 4.9.10 (legacy), Enterprise Edition before 6.0.0 RC2 (development), 5.2.x before 5.2.10 (legacy), and 5.3.x before 5.3.5 (maintenance), and Professional Edition before 6.0.0 RC2 (development), 4.9.x before 4.9.10 (legacy) and 4.10.x before 4.10.5 (maintenance) allow remote attackers to hijack the cart session of a client via Cross-Site Request Forgery (CSRF) if the following pre-conditions are met: (1) the attacker knows which shop is presently used by the client, (2) the attacker knows the exact time when the customer will add product items to the cart, (3) the attacker knows which product items are already in the cart (has to know their article IDs), and (4) the attacker would be able to trick user into clicking a button (submit form) of an e-mail or remote site within the period of visiting the shop and placing an order."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.oxid-esales.com/view.php?id=6674",
"refsource": "CONFIRM",
"url": "https://bugs.oxid-esales.com/view.php?id=6674"
},
{
"name": "https://oxidforge.org/en/security-bulletin-2017-001.html",
"refsource": "CONFIRM",
"url": "https://oxidforge.org/en/security-bulletin-2017-001.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-12415",
"datePublished": "2018-02-20T23:00:00",
"dateReserved": "2017-08-03T00:00:00",
"dateUpdated": "2024-08-05T18:36:56.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-14993 (GCVE-0-2017-14993)
Vulnerability from nvd – Published: 2018-02-20 23:00 – Updated: 2024-08-05 19:42
VLAI?
Summary
OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition before 6.0.0 RC3 (development), 4.9.x before 4.9.11 (legacy) and 4.10.x before 4.10.6 (maintenance) allow remote attackers to crawl specially crafted URLs (aka "forced browsing") in order to overflow the database of the shop and consequently make it stop working. Prerequisite: the shop allows rendering empty categories to the storefront via an admin option.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:42:22.366Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6678"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://oxidforge.org/en/security-bulletin-2017-002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-11-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition before 6.0.0 RC3 (development), 4.9.x before 4.9.11 (legacy) and 4.10.x before 4.10.6 (maintenance) allow remote attackers to crawl specially crafted URLs (aka \"forced browsing\") in order to overflow the database of the shop and consequently make it stop working. Prerequisite: the shop allows rendering empty categories to the storefront via an admin option."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-20T22:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.oxid-esales.com/view.php?id=6678"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://oxidforge.org/en/security-bulletin-2017-002.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-14993",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition before 6.0.0 RC3 (development), 4.9.x before 4.9.11 (legacy) and 4.10.x before 4.10.6 (maintenance) allow remote attackers to crawl specially crafted URLs (aka \"forced browsing\") in order to overflow the database of the shop and consequently make it stop working. Prerequisite: the shop allows rendering empty categories to the storefront via an admin option."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.oxid-esales.com/view.php?id=6678",
"refsource": "CONFIRM",
"url": "https://bugs.oxid-esales.com/view.php?id=6678"
},
{
"name": "https://oxidforge.org/en/security-bulletin-2017-002.html",
"refsource": "CONFIRM",
"url": "https://oxidforge.org/en/security-bulletin-2017-002.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-14993",
"datePublished": "2018-02-20T23:00:00",
"dateReserved": "2017-10-03T00:00:00",
"dateUpdated": "2024-08-05T19:42:22.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-5763 (GCVE-0-2018-5763)
Vulnerability from nvd – Published: 2018-02-19 21:00 – Updated: 2024-08-05 05:40
VLAI?
Summary
An issue was discovered in OXID eShop Enterprise Edition before 5.3.7 and 6.x before 6.0.1. By entering specially crafted URLs, an attacker is able to bring the shop server to a standstill and hence, it stops working. This is only valid if OXID High Performance Option is activated and Varnish is used.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:40:51.173Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://oxidforge.org/en/security-bulletin-2018-001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-01-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in OXID eShop Enterprise Edition before 5.3.7 and 6.x before 6.0.1. By entering specially crafted URLs, an attacker is able to bring the shop server to a standstill and hence, it stops working. This is only valid if OXID High Performance Option is activated and Varnish is used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-19T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://oxidforge.org/en/security-bulletin-2018-001.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-5763",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in OXID eShop Enterprise Edition before 5.3.7 and 6.x before 6.0.1. By entering specially crafted URLs, an attacker is able to bring the shop server to a standstill and hence, it stops working. This is only valid if OXID High Performance Option is activated and Varnish is used."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://oxidforge.org/en/security-bulletin-2018-001.html",
"refsource": "CONFIRM",
"url": "https://oxidforge.org/en/security-bulletin-2018-001.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-5763",
"datePublished": "2018-02-19T21:00:00",
"dateReserved": "2018-01-17T00:00:00",
"dateUpdated": "2024-08-05T05:40:51.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}