Security bulletin: 2010-001
Released: March 30th, 2010
As part of our regular security audit, the following issue has been identified:
Synopsis
Specially crafted JavaScript code can inject malicious code into the database.
State
Resolved in OXID eShop version 4.3.0.
Impact
By sending a specially crafted JavaScript code, unauthorized users may inject malicious code into the database.
No exploits are known as of today.
Affected products, releases and platforms
Products:
- OXID eShop Professional Edition
- OXID eShop Enterprise Edition
- OXID eShop Community Edition
Releases:
- Professional, Enterprise and Community Edition: 4.0.0.0_13895, 4.0.0.0_13934, 4.0.0.0_14260, 4.0.0.1_14455, 4.0.0.2_14842, 4.0.0.2_14967, 4.0.1.0_15990, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6 and 4.2.0
Platforms:
- Above releases are affected on all platforms.
Note: Older releases than the ones mentioned might as well be affected. They are considered end of life and will not be supported further.
Resolution
The issue has been addressed in the following releases:
- OXID eShop Professional Edition version 4.3.0
- OXID eShop Enterprise Edition version 4.3.0
- OXID eShop Community Edition version 4.3.0
Note: Users of the legacy <= 2.7.0.3 and <= 3.0.4.1 releases will not be provided with a fix. These versions are considered end of life and will not be supported further.
Credits
The security issue has been found during one of our regular security audits.
Stay up-to-date
To receive upcoming OXID Security Bulletins, please subscribe to the mailing lists or the Announcement forum
How to report security issues
Learn how to report security issues in the Security overview page.
Leave a Reply
Want to join the discussion?Feel free to contribute!