Security bulletin: 2013-001

This bulletin has been assigned a CVE identifier of CVE-2013-5913
CVSS score 2.1
Released: October 8th, 2013

The following issue has been identified:

Synopsis

A XSS vulnerability was found.

State

Resolved in OXID eShop Professional and Community Edition version 4.7.8 and OXID eShop Enterprise Edition version 5.0.8. Will be resolved in OXID eShop all editions with version 4.6.7 of the former series.

Impact

Under certain circumstances, an attacker can trick a user to enter a specially crafted URI or click on a mal-formed link to exploit a cross-site scripting vulnerability that theoretically can be used to gain unauthorized access to a user account or collect sensitive information of this user.

No exploits are known as of today.

Affected products, releases and platforms

Products:

  • OXID eShop Professional Edition
  • OXID eShop Enterprise Edition
  • OXID eShop Community Edition

Releases:

  • All previous releases

Platforms:

  • All platforms

Resolution

The issue has been addressed in the following releases:

  • OXID eShop Professional Edition version 4.7.8
  • OXID eShop Community Edition version 4.7.8
  • OXID eShop Enterprise Edition version 5.0.8

Bug tracker entry: https://bugs.oxid-esales.com/view.php?id=5404

Workaround:

Please find the public function getRecommSearch() around line 388 in application/controllers/recommlist.php (views/recommlist.php in former versions).

Replace the line

with

Credits

The security issue has been reported by Adrian Märtins (SysEleven GmbH).

Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the mailing lists or the Announcement forum

How to report security issues

Learn how to report security issues in the Security overview page.


0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *