OXID eSales is an Open Source software vendor and naturally takes security issues serious. Here, you will find information on how to report security-related issues to us and how we process such issues.

Reporting a security issue

If you discovered a security issue in one of our products or services, please get in touch with us immediately. Our policy is to limit public knowledge about a security issue until we provide a fix for it.

This is the process:

  1. Please send an email to security@oxid-esales.com
  2. We will confirm that the email or bug report has been received by OXID eSales.
  3. OXID will provide you with information on our progress in verifying and fixing the vulnerability, and the estimated date at which a security fix or new release will be available.

OXID is happy to arrange an embargo date with you, at which you can issue a security bulletin, so you – apart from us – will be the first to report it to the general public. OXID generally treats all reports confidential and anonymous, but we will happily credit you in our security bulletin as the one who discovered the vulnerability if you want to.

Why do we ask you to inform us beforehand and to arrange an embargo date? Isn’t that in contrast to the concept of openly communicating? No. It helps everyone running a shop if the vulnerability is not known to the general public until it has been fixed. Otherwise shop owners are at risk of being exposed to publicly known vulnerabilities that have not been fixed yet.

For any questions about the process of reporting a security issue, please do not hesitate to ask on security@oxid-esales.com.

Supported versions

When we release new security advisories, we only check if supported versions are affected. Currently supported versions are:

  • 6.1.x
  • 6.2.x

Older, unsupported versions may or may not have the same security vulnerabilities. Security fixes or any bug fixes for older versions are not provided by OXID eSales. We urge users of older versions to upgrade their OXID eShop installations.

Modules and extensions

If you determined a security issue in one of our extensions, please drop us a note via security@oxid-esales.com.
If you determined a security issue in a third party extension, please try to catch up with the developer of this extension first. In case you can’t find the author, you don’t receive an answer or similar issues please feel free to contact us as well.

Getting informed via Security Bulletins

OXID eSales will publish the bulletin to the OXIDforge wiki within the Security Bulletins category and will also inform the community via Slack and the Announcement forum. We will also inform relevant security mailing lists about the bulletin to inform other vendors and Linux distributors.

As soon as the issue has been verified and fixed by our engineers, we will set an embargo date after which a security bulletin will be made available to the general public. This will be done either when a fix for existing releases is available, or when a new release comes out that contains the security fix. OXID will not publicly announce security vulnerabilities that haven’t been fixed in stable releases yet.

A few close OXID partners will receive a notification of the upcoming bulletin approximately 48-96 hours before it is made available to the general public.

Previous security advisories

Security Bulletin 2019-002

CVE-2019-17062: With a specially crafted URL, users with admin rights could unintentionally grant unauthorized users access to the admin panel.

Security Bulletin 2019-001

CVE-2019-13026: With a specially crafted URL, an attacker would be able to gain full access to the administration panel.

Security Bulletin 2018-003

CVE Identifier: CVE-2018-14020: An attacker is able to change the delivery address by bypassing the checkout process when using Paymorrow payment method.

Security Bulletin 2018-002

CVE Identifier: CVE-2018-12579: An attacker is able to take over an access to user account.

Security Bulletin 2018-001

CVE Identifier: CVE-2018-5763: An attacker is able to bring servers to standstill by calling specially crafted URLs if OXID High Performance Option is activated and Varnish is used (denial of service/DoS).

Security Bulletin 2017-002

CVE-2017-14993: An attacker is able to overflow the shop database over the network, and hence make the shop stop working (denial of service/DoS).

Security Bulletin 2017-001

CVE-2017-12415: Under certain pre-conditions an attacker would be able to hijack the cart session of a client via a Cross-Site Request Forgery (CSRF).

Security Bulletin 2016-001

CVE-2016-5072: By sending specially craftet HTTP_POST or HTTP_GET requests to the oxuser class, an attacker can gain administrative access to OXID eShop via the storefront.

FAQ OXID Security Bulletin 2016-001

FAQ for CVE-2016-5072: By sending specially craftet HTTP_POST or HTTP_GET requests to the oxuser class, attacker can gain administrative access to OXID via storefront.

Security Bulletin 2015-001

CVE-2015-6926: An attacker can deploy his own OpenID Identity Provider (IdP) issuing valid OpenID authentication tokens (OpenID supports the usage of arbitrary IdPs). The attacker’s IdP can issue tokens containing any email address within the token (this feature is allowed by the OpenID specification).

Security bulletin: 2014-003

CVE-2014-4919: A possibility to assign to any user group, except admin group, without admin confirmation has been found in OXID eShop all editions, all former versions.

Security bulletin: 2014-002

CVE-2014-2017: A HTTP response splitting vulnerability has been found in OXID eShop all editions, all former versions.

Security bulletin: 2014-001

CVE-2014-2016: Under certain circumstances, an attacker can trick a user to enter a specially crafted URI or click on a mal-formed link to exploit a cross-site scripting vulnerability that theoretically can be used to gain unauthorized access to a user account or collect sensitive information of this user.

Security bulletin: 2013-001

CVE-2013-5913: Under certain circumstances, an attacker can trick a user to enter a specially crafted URI or click on a mal-formed link to exploit a cross-site scripting vulnerability that theoretically can be used to gain unauthorized access to a user account or collect sensitive information of this user.

Security bulletin: 2011-004

When admin panel uses SSL, in some rare cases non-SSL linkes approach for data transfer. This may lead to a possible “man in the middle attack”.

Security bulletin: 2011-003

By creating specially crafted URLs, each time new cache is created for requested pages, so server may go out of resources (disk or memory) in case of DoS attack.

Security bulletin: 2011-002

In some special cases when several users are working on the same place in eShop frontend, it’s possible to capture the session of other user.

Security bulletin: 2011-001

By specially crafted JavaScript code, inserted in particular input fields in OXID eShop frontend, it’s possible to execute unauthorized JavaScript code in eShop admin area.

Security bulletin: 2010-007

XSS: By specially crafted JavaScript code, inserted in particular input fields in OXID eShop frontend, it’s possible to execute unauthorized JavaScript code in eShop admin area.

Security bulletin: 2010-006

A possibility of an attack was found that could lead to Denial of Service (DoS) of the store.

Security bulletin: 2010-003

By sending a specially crafted JavaScript code, unauthorized users may gain access to another user’s session.

Security bulletin: 2010-002

By using a specially crafted URL, users with administrative rights could unintendedly grant unauthorized users access to the admin panel.

Security bulletin: 2009-003

CVE-2009-2266: Specially crafted cookie can lead to unauthorized access to session information of unregistered users.

Security bulletin: 2009-002

CVE-2009-3113: Specially crafted parameter can lead to unauthorized write access to product reviews in the shop.

Security bulletin: 2009-001

CVE-2009-3112: Specially crafted parameter can lead to unauthorized administrative access to shop backend.