Security Bulletin 2017-001

The following vulnerability has been identified:


Under certain pre-conditions an attacker would be able to hijack the cart session of a client via a Cross-Site Request Forgery (CSRF).


  • until now, no 0-day exploit is known
  • resolved, patch releases available


An attacker could alter a shop customer’s cart content if the following pre-conditions are met:

  • An attacker knows which shop is presently used by the client.
  • An attacker knows the exact time when the customer will add product items to the cart.
  • An attacker knows which product items are already in the cart (has to know their article IDs).
  • An attacker would be able to trick user into clicking a button (submit form) of an e-mail or remote site within the period of visiting the shop and placing an order.

Affected products, releases and platforms


  • OXID eShop Enterprise Edition (“EE”)
  • OXID eShop Professional Edition (“PE”)
  • OXID eShop Community Edition (“CE”)


  • All OXID eShop versions up to 5.3.x (EE) and 4.10.x (PE, CE)
  • All OXID eShop v6 (beta and RC1 versions)


  • All releases are affected on all platforms


The issue has already been resolved in the following releases:

  • OXID eShop Enterprise Edition v5.2.10
  • OXID eShop Enterprise Edition v5.3.5
  • OXID eShop Enterprise Edition v6.0.0 RC2 (not released yet)
  • OXID eShop Professional Edition v4.9.10
  • OXID eShop Professional Edition v4.10.5
  • OXID eShop Professional Edition v6.0.0 RC2 (not released yet)
  • OXID eShop Community Edition v4.9.10
  • OXID eShop Community Edition v4.10.5
  • OXID eShop Community Edition v6.0.0 RC2 (not released yet)

Bug tracker entry (in private state until August 16th):


As the severity and the potential of data loss or harm is very low, we will not provide a workaround.
Please note that a fix for end-of-life versions will not be provided. Please update your OXID eShop installation.


Thanks a lot to the ifixit security team, who got this information from a security researcher, validated it and immediately reported it to us.

Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the RSS feed:

How to report security issues

Learn how to report security issues in the Security overview page.

1 reply

Comments are closed.