Security bulletin: 2010-004

Released: October 20th, 2010

The following issue has been identified:


We found the possibility of cross-site scripting (XSS).


Resolved in OXID eShop version 4.4.3.


By sending a specially crafted JavaScript code, unauthorized users may gain access to another user’s session.

No exploits are known as of today.

Affected products, releases and platforms


  • OXID eShop Professional Edition
  • OXID eShop Enterprise Edition
  • OXID eShop Community Edition


  • Professional, Enterprise and Community Edition:,,,,,,, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.4.0, 4.4.1 and 4.4.2


  • Above releases are affected on all platforms.

Note: Older releases than the ones mentioned might as well be affected. They are considered end of life and will not be supported further.


The issue has been addressed in the following releases:

  • OXID eShop Professional Edition version 4.4.3
  • OXID eShop Enterprise Edition version 4.4.3
  • OXID eShop Community Edition version 4.4.3

Note: Users of the legacy <= and <= releases will not be provided with a fix. These versions are considered end of life and will not be supported further.


The security issue has been found during one of our regular security audits.

Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the mailing lists or the Announcement forum

How to report security issues

Learn how to report security issues in the Security overview page.

Start the discussion at OXID forums