Security

OXID eSales is an Open Source software vendor and naturally takes security issues serious. Here, you will find information on how to report security-related issues to us and how we process such issues.

Reporting a security issue

If you discovered a security issue in one of our products or services, please get in touch with us immediately. Our policy is to limit public knowledge about a security issue until we provide a fix for it.

We kindly ask you to inform us first and keep the vulnerability confidential for the general public as this might compromise existing businesses.

This is the process:

  1. Please send an email to security@oxid-esales.com
  2. We will confirm that the email or bug report has been received by OXID eSales.
  3. OXID will provide you with information on our progress in verifying and fixing the vulnerability, and the estimated date at which a security fix or new release will be available.

OXID is happy to arrange an embargo date with you, at which you can issue a security bulletin, so you – apart from us – will be the first to report it to the general public. OXID generally treats all reports confidential and anonymous, but we will happily credit you in our security bulletin as the one who discovered the vulnerability if you want to.

Why do we ask you to inform us beforehand and to arrange an embargo date? Isn’t that in contrast to the concept of openly communicating? No. It helps everyone running a shop if the vulnerability is not known to the general public until it has been fixed. Otherwise shop owners are at risk of being exposed to publicly known vulnerabilities that have not been fixed yet.

For any questions about the process of reporting a security issue, please do not hesitate to ask on security@oxid-esales.com.

Supported versions

When we release new security advisories, we only check if supported versions are affected. Currently supported versions are:

  • 4.9.x/5.2.x
  • 4.10.x/5.3.x

Older, unsupported versions may or may not have the same security vulnerabilities. Security fixes or any bug fixes for older versions are not provided by OXID eSales. We urge users of older versions to upgrade their OXID eShop installations.

Modules and extensions

If you determined a security issue in one of our extensions, please drop us a note via security@oxid-esales.com.
If you determined a security issue in a third party extension, please try to catch up with the developer of this extension first. In case you can’t find the author, you don’t receive an answer or similar issues please feel free to contact us as well.

Getting informed via Security Bulletins

OXID eSales will publish the bulletin to the OXIDforge wiki within the Security Bulletins category and will also inform the community via the mailing lists and the Announcement forum. We will also inform relevant security mailing lists about the bulletin to inform other vendors and Linux distributors.

As soon as the issue has been verified and fixed by our engineers, we will set an embargo date after which a security bulletin will be made available to the general public. This will be done either when a fix for existing releases is available, or when a new release comes out that contains the security fix. OXID will not publicly announce security vulnerabilities that haven’t been fixed in stable releases yet.

A few close OXID partners will receive a notification of the upcoming bulletin approximately 48-96 hours before it is made available to the general public.

Previous security advisories

Security Bulletin 2017-001

CVE-2017-12415: Under certain pre-conditions an attacker would be able to hijack the cart session of a client via a Cross-Site Request Forgery (CSRF).
16. August 2017/by Marco Steinhäuser
PHPMailer Logo

PHPMailer < 5.2.21 Remote Code Execution: OXID eShop is safe!

In PHPMailer which is used in OXID eShop, the security issue CVE-2016-10033 was found. OXID eShop is safe. Please read how to update anyway if you wish.
29. December 2016/by Ina El-Kadhi

Security Bulletin 2016-001

CVE-2016-5072: By sending specially craftet HTTP_POST or HTTP_GET requests to the oxuser class, an attacker can gain administrative access to OXID eShop via the storefront.
13. June 2016/by Marco Steinhäuser

FAQ Security Bulletin 2016-001

13. June 2016/by Marco Steinhäuser

Security Bulletin 2015-001

CVE-2015-6926: An attacker can deploy his own OpenID Identity Provider (IdP) issuing valid OpenID authentication tokens (OpenID supports the usage of arbitrary IdPs). The attacker's IdP can issue tokens containing any email address within the token (this feature is allowed by the OpenID specification).
30. September 2015/by Marco Steinhäuser

Security bulletin: 2014-003

CVE-2014-4919: A possibility to assign to any user group, except admin group, without admin confirmation has been found in OXID eShop all editions, all former versions.
12. August 2014/by Jurate Baseviciene

Security bulletin: 2014-002

CVE-2014-2017: A HTTP response splitting vulnerability has been found in OXID eShop all editions, all former versions.
11. March 2014/by Marco Steinhäuser

Security bulletin: 2014-001

CVE-2014-2016: Under certain circumstances, an attacker can trick a user to enter a specially crafted URI or click on a mal-formed link to exploit a cross-site scripting vulnerability that theoretically can be used to gain unauthorized access to a user account or collect sensitive information of this user.
11. March 2014/by Marco Steinhäuser

Security bulletin: 2013-001

CVE-2013-5913: Under certain circumstances, an attacker can trick a user to enter a specially crafted URI or click on a mal-formed link to exploit a cross-site scripting vulnerability that theoretically can be used to gain unauthorized access to a user account or collect sensitive information of this user.
8. October 2013/by Marco Steinhäuser

Security bulletin: 2011-004

When admin panel uses SSL, in some rare cases non-SSL linkes approach for data transfer. This may lead to a possible “man in the middle attack”.
3. February 2011/by Marco Steinhäuser

Security bulletin: 2011-003

By creating specially crafted URLs, each time new cache is created for requested pages, so server may go out of resources (disk or memory) in case of DoS attack.
3. February 2011/by Marco Steinhäuser

Security bulletin: 2011-002

In some special cases when several users are working on the same place in eShop frontend, it’s possible to capture the session of other user.
3. February 2011/by Marco Steinhäuser

Security bulletin: 2011-001

By specially crafted JavaScript code, inserted in particular input fields in OXID eShop frontend, it’s possible to execute unauthorized JavaScript code in eShop admin area.
3. February 2011/by Marco Steinhäuser

Security bulletin: 2010-007

XSS: By specially crafted JavaScript code, inserted in particular input fields in OXID eShop frontend, it’s possible to execute unauthorized JavaScript code in eShop admin area.
13. December 2010/by Marco Steinhäuser

Security bulletin: 2010-006

A possibility of an attack was found that could lead to Denial of Service (DoS) of the store.
8. November 2010/by Marco Steinhäuser

Security bulletin: 2010-005

We found the possibility of sql injection.
20. October 2010/by Marco Steinhäuser

Security bulletin: 2010-004

We found the possibility of cross-site scripting (XSS).
20. October 2010/by Marco Steinhäuser

Security bulletin: 2010-003

By sending a specially crafted JavaScript code, unauthorized users may gain access to another user’s session.
25. August 2010/by Marco Steinhäuser

Security bulletin: 2010-002

By using a specially crafted URL, users with administrative rights could unintendedly grant unauthorized users access to the admin panel.
30. March 2010/by Marco Steinhäuser

Security bulletin: 2010-001

Specially crafted JavaScript code can inject malicious code into the database.
30. March 2010/by Marco Steinhäuser

Security bulletin: 2009-004

Specially crafted SQL statements can lead to unauthorized access to the database.
15. October 2009/by Stefan Werner

Security bulletin: 2009-003

CVE-2009-2266: Specially crafted cookie can lead to unauthorized access to session information of unregistered users.
11. August 2009/by Marco Steinhäuser

Security bulletin: 2009-002

CVE-2009-3113: Specially crafted parameter can lead to unauthorized write access to product reviews in the shop.
11. May 2009/by Marco Steinhäuser

Security bulletin: 2009-001

CVE-2009-3112: Specially crafted parameter can lead to unauthorized administrative access to shop backend.
7. May 2009/by Marco Steinhäuser