The following issue has been identified:
A possibility for SQL injection was found.
Resolved in OXID eShop version 4.4.6.
When using specially crafted data, it’s possible to make SQL injection from eShop frontend.
No exploits are known as of today.
Affected products, releases and platforms
- OXID eShop Enterprise Edition
- OXID eShop Professional Edition
- OXID eShop Community Edition
- Professional, Enterprise and Community Edition: 184.108.40.206_13895, 220.127.116.11_13934, 18.104.22.168_14260, 22.214.171.124_14455, 126.96.36.199_14842, 188.8.131.52_14967, 184.108.40.206_15990, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4 and 4.4.5.
- Above releases are affected on all platforms.
The issue has been addressed in the following releases:
- OXID eShop Professional Edition version 4.4.6
- OXID eShop Enterprise Edition version 4.4.6
- OXID eShop Community Edition version 4.4.6
The security issue has been reported by Thorsten Albrecht (t-albrecht.de).
How to report security issues
Learn how to report security issues in the Security overview page.