CVE Identifier: CVE-2018-14020: An attacker is able to change the delivery address by bypassing the checkout process when using Paymorrow payment method.
About OXID Security Team
OXID Security Team informs you about security issues in OXID eShop.
Entries by OXID Security Team
CVE Identifier: CVE-2018-12579: An attacker is able to take over an access to user account.
CVE Identifier: CVE-2018-5763: An attacker is able to bring servers to standstill by calling specially crafted URLs if OXID High Performance Option is activated and Varnish is used (denial of service/DoS).
FAQ for Security bulletin 2017-002: By crawling specially crafted URLs (e.g. by “forced browsing”), an attacker is able to overflow the database.
CVE-2017-14993: An attacker is able to overflow the shop database over the network, and hence make the shop stop working (denial of service/DoS).
CVE-2017-12415: Under certain pre-conditions an attacker would be able to hijack the cart session of a client via a Cross-Site Request Forgery (CSRF).
CVE-2016-5072: By sending specially craftet HTTP_POST or HTTP_GET requests to the oxuser class, an attacker can gain administrative access to OXID eShop via the storefront.
FAQ for CVE-2016-5072: By sending specially craftet HTTP_POST or HTTP_GET requests to the oxuser class, attacker can gain administrative access to OXID via storefront.
We’d like to inform you that our team has found a critical security issue in OXID eShop all versions and all editions. This issue has already been fixed, and the fix will be officially released later today, on June 13th 2016 with OXID eShop Enterprise Edition 5.2.9 and 5.1.12 and with OXID eShop Professional and […]
CVE-2015-6926: An attacker can deploy his own OpenID Identity Provider (IdP) issuing valid OpenID authentication tokens (OpenID supports the usage of arbitrary IdPs). The attacker’s IdP can issue tokens containing any email address within the token (this feature is allowed by the OpenID specification).
CVE-2014-4919: A possibility to assign to any user group, except admin group, without admin confirmation has been found in OXID eShop all editions, all former versions.
CVE-2014-2017: A HTTP response splitting vulnerability has been found in OXID eShop all editions, all former versions.