Released: October 20th, 2010
The following issue has been identified:
We found the possibility of sql injection.
Resolved in OXID eShop version 4.4.3.
By sending a specially crafted code to special forms, unauthorized users may gain access to the shop database.
No exploits are known as of today.
Affected products, releases and platforms
- OXID eShop Professional Edition
- OXID eShop Enterprise Edition
- OXID eShop Community Edition
- Professional, Enterprise and Community Edition: 4.4.0, 4.4.1 and 4.4.2
- Above releases are affected on all platforms.
The issue has been addressed in the following releases:
- OXID eShop Professional Edition version 4.4.3
- OXID eShop Enterprise Edition version 4.4.3
- OXID eShop Community Edition version 4.4.3
The security issue has been found during one of our regular security audits.
To receive upcoming OXID Security Bulletins, please subscribe to the mailing lists or the Announcement forum
How to report security issues
Learn how to report security issues in the Security overview page.