An attacker can deploy his own OpenID Identity Provider (IdP) issuing valid OpenID authentication tokens (OpenID supports the usage of arbitrary IdPs). The attacker’s IdP can issue tokens containing any email address within the token (this feature is allowed by the OpenID specification).
Resolved in OXID eShop version 4.5.0
An attacker can impersonate any other user on the system where OXID eShop is deployed. No interaction between the attacker and the victim is necessary.