Security bulletin: 2014-001
This bulletin has been assigned a CVE identifier of CVE-2014-2016
CVSS score 4.2
Released: March 11th, 2014
The following issue has been identified:
Synopsis
An XSS vulnerability was found.
State
- Resolved in OXID eShop version 4.7.11/5.0.11. and OXID eShop version 4.8.4/5.1.4.
- A fix for OXID eShop version 4.6.8 is available.
- Please see the proposed workaround for older Versions of OXID eShop.
Impact
Under certain circumstances, an attacker can trick a user to enter a specially crafted URI or click on a mal-formed link to exploit a cross-site scripting vulnerability that theoretically can be used to gain unauthorized access to a user account or collect sensitive information of this user.
No exploits are known as of today.
Affected products, releases and platforms
Products:
- OXID eShop Enterprise Edition
- OXID eShop Professional Edition
- OXID eShop Community Edition
Releases:
- All previous releases
Platforms:
- All releases are affected on all platforms.
Resolution
The issue has been addressed in the following patch releases (estimated on FEB 25th):
- OXID eShop Professional Edition version 4.7.11 and 4.8.4
- OXID eShop Enterprise Edition version 5.0.11 and 5.1.4
- OXID eShop Community Edition version 4.7.11 and 4.8.4
and as a fix for the following versions:
- OXID eShop Professional Edition version 4.6.8
- OXID eShop Enterprise Edition version 4.6.8
- OXID eShop Community Edition version 4.6.8
Bug tracker entry: https://bugs.oxid-esales.com/view.php?id=5611
Workaround
1. Please find the public function getTag() around line 1019 in application/controllers/details.php (views/details.php in former versions).
Replace the line
return oxConfig::getParameter("searchtag", 1);
with
return oxConfig::getParameter("searchtag", false);
2. and the public function getTag() around line 252 in application/controllers/tag.php (views/tag.php in former versions).
Replace the line
$this->_sTag = oxConfig::getParameter("searchtag", 1);
with
$this->_sTag = oxConfig::getParameter("searchtag", false);
Credits
Many thanks to Heiko Frenzel for the hint!
Stay up-to-date
To receive upcoming OXID Security Bulletins, please subscribe to the mailing lists or the Announcement forum
How to report security issues
Learn how to report security issues in the Security overview page.
Start the discussion at OXID forums