Security bulletin: 2011-004

  0 Comments/in / 
  ,

Released: 02/03/11

The following issue has been identified:

Synopsis

A possibility for data leak was found.

State

Resolved in OXID eShop version 4.4.6.

Impact

When admin panel uses SSL, in some rare cases non-SSL linkes approach for data transfer. This may lead to a possible “man in the middle attack”.
No exploits are known as of today.

Affected products, releases and platforms

Products:

  • OXID eShop Enterprise Edition
  • OXID eShop Professional Edition
  • OXID eShop Community Edition

Releases:

  • Professional, Enterprise and Community Edition: 4.0.0.0_13895, 4.0.0.0_13934, 4.0.0.0_14260, 4.0.0.1_14455, 4.0.0.2_14842, 4.0.0.2_14967, 4.0.1.0_15990, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4 and 4.4.5.

Platforms:

  • Above releases are affected on all platforms.

Resolution

The issue has been addressed in the following releases:

  • OXID eShop Professional Edition version 4.4.6
  • OXID eShop Enterprise Edition version 4.4.6
  • OXID eShop Community Edition version 4.4.6

Credits

The security issue has been found during one of our regular security audits.

Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the mailing lists or the Announcement forum

How to report security issues

Learn how to report security issues in the Security overview page.



You might also like
Security bulletin: 2011-002
Security bulletin: 2010-001
OXID eShop version 4.6.7
How to (quickly) port a module to OXID eShop 6.0
Security bulletin: 2009-001
OXID eShop version 4.10.7 (CE + PE) & 5.3.7 (EE)
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *