Security bulletin: 2013-001

This bulletin has been assigned a CVE identifier of CVE-2013-5913
CVSS score 2.1
Released: October 8th, 2013

The following issue has been identified:


A XSS vulnerability was found.


Resolved in OXID eShop Professional and Community Edition version 4.7.8 and OXID eShop Enterprise Edition version 5.0.8. Will be resolved in OXID eShop all editions with version 4.6.7 of the former series.


Under certain circumstances, an attacker can trick a user to enter a specially crafted URI or click on a mal-formed link to exploit a cross-site scripting vulnerability that theoretically can be used to gain unauthorized access to a user account or collect sensitive information of this user.

No exploits are known as of today.

Affected products, releases and platforms


  • OXID eShop Professional Edition
  • OXID eShop Enterprise Edition
  • OXID eShop Community Edition


  • All previous releases


  • All platforms


The issue has been addressed in the following releases:

  • OXID eShop Professional Edition version 4.7.8
  • OXID eShop Community Edition version 4.7.8
  • OXID eShop Enterprise Edition version 5.0.8

Bug tracker entry:


Please find the public function getRecommSearch() around line 388 in application/controllers/recommlist.php (views/recommlist.php in former versions).

Replace the line

if ( $sSearch = oxConfig::getParameter( 'searchrecomm', true ) ) {


if ( $sSearch = oxConfig::getParameter( 'searchrecomm', false ) ) {


The security issue has been reported by Adrian Märtins (SysEleven GmbH).

Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the mailing lists or the Announcement forum

How to report security issues

Learn how to report security issues in the Security overview page.

Start the discussion at OXID forums

Prior comments
1 reply

Trackbacks & Pingbacks

  1. […] Please note that this patch contains a security fix. Therefore we strongly recommend to include this patch into your live environments as soon as possible. Partners and NDA owners have already been notified. The security bulletin for this issue was published on October 8th: […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *