The following vulnerability has been identified:
Under certain pre-conditions an attacker would be able to hijack the cart session of a client via a Cross-Site Request Forgery (CSRF).
- until now, no 0-day exploit is known
- resolved, patch releases available
An attacker could alter a shop customer’s cart content if the following pre-conditions are met:
- An attacker knows which shop is presently used by the client.
- An attacker knows the exact time when the customer will add product items to the cart.
- An attacker knows which product items are already in the cart (has to know their article IDs).
- An attacker would be able to trick user into clicking a button (submit form) of an e-mail or remote site within the period of visiting the shop and placing an order.
- OXID eShop Enterprise Edition (“EE”)
- OXID eShop Professional Edition (“PE”)
- OXID eShop Community Edition (“CE”)
- All OXID eShop versions up to 5.3.x (EE) and 4.10.x (PE, CE)
- All OXID eShop v6 (beta and RC1 versions)
- All releases are affected on all platforms
The issue has already been resolved in the following releases:
- OXID eShop Enterprise Edition v5.2.10
- OXID eShop Enterprise Edition v5.3.5
- OXID eShop Enterprise Edition v6.0.0 RC2 (not released yet)
- OXID eShop Professional Edition v4.9.10
- OXID eShop Professional Edition v4.10.5
- OXID eShop Professional Edition v6.0.0 RC2 (not released yet)
- OXID eShop Community Edition v4.9.10
- OXID eShop Community Edition v4.10.5
- OXID eShop Community Edition v6.0.0 RC2 (not released yet)
Bug tracker entry (in private state until August 16th): https://bugs.oxid-esales.com/view.php?id=6674
As the severity and the potential of data loss or harm is very low, we will not provide a workaround.
Please note that a fix for end-of-life versions will not be provided. Please update your OXID eShop installation.
Thanks a lot to the ifixit security team, who got this information from a security researcher, validated it and immediately reported it to us.
To receive upcoming OXID Security Bulletins, please subscribe to the RSS feed: http://oxidforge.org/en/shop/development-security/feed.
Learn how to report security issues in the Security overview page.