Today, we published patch releases OXID eShop 6.0.6 and OXID eShop 6.1.5 fixing security issue 2019-002. Also, former OXID eShop versions are affected by this leak that are not officially supported any more for actually a long time. However, we decided to provide hot fixes as replacement files for series 4.9 and 4.10 (Community and Professional Edition) as well as series 5.2 and 5.3 (Enterprise Edition).
Please note that even more previous versions might be affected as well. However, we did not assess nor will there be a workaround/fix for them. If you run such an old version we certainly want to urge you to update.
For patching OXID eShop installations running series 4.9 or 4.10 (Community and Professional Edition) and 5.2 or 5.3, please download the file from the following list according to your OXID eShop version/edition and replace the existing file /application/controllers/admin/login.php in your installation:
- Hotfix for OXID eShop Enterprise Edition v5.3.x
- Hotfix for OXID eShop Enterprise Edition v5.2.x
- Hotfix for OXID eShop Professional Edition v4.10.x
- Hotfix for OXID eShop Professional Edition v4.9.x
- Hotfix for OXID eShop Community Edition v4.10.x
- Hotfix for OXID eShop Community Edition v4.9.x
Security Bulletin 2019-002 with more details is prepared and will be published on November 5th to give you some time for fixing your installations. For any request, we left comments function open in the forum discussion for this post – feel free 😉