Security Bulletin 2018-003

The following vulnerability has been identified:


An attacker is able to change the delivery address by bypassing the checkout process when using Paymorrow payment method.


  • This security issue was reported to us while working on an incident at a client system.
  • Resolved, patch releases are available. Sorry, no workaround possible.


By bypassing the checkout process, an attacker can overcome the actual delivery address validation, if the payment module doesn’t use OXID eShop’s checkout procedure properly. In this case it happened to the Paymorrow module which is regularly delivered with OXID eShop compilation.

Affected products, releases and platforms


  • OXID eShop Enterpise Edition (“EE”)
  • OXID eShop Professional Edition (“PE”)
  • OXID eShop Community Edition (“CE”)


  • OXID eShop EE v5.2.3 – v5.3.7
  • OXID eShop PE and CE v4.9.3 – v4.10.7
  • OXID eShop EE, PE and CE v6.0.0 – v6.0.2


  • Named above releases are affected on all platforms


The issue has already been resolved in the following releases:

  • OXID eShop Enterprise Edition v6.1.0
  • OXID eShop Professional Edition v6.1.0
  • OXID eShop Community Edition v6.1.0
  • OXID eShop Enterprise Edition v6.0.3
  • OXID eShop Professional Edition v6.0.3
  • OXID eShop Community Edition v6.0.3
  • OXID eShop Enterprise Edition v5.3.8
  • OXID eShop Professional Edition v4.10.8
  • OXID eShop Community Edition v4.10.8

Bug tracker entry (will remain in “private” state until this security bulletin is published):


Unfortunately, a workaround cannot be provided.


Many thanks to our Development Partner digidesk – media solutions who found this security issue and immediately reported it.

Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the RSS feed:

How to report security issues

Learn how to report security issues in the Security overview page.

1 reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply to CVE-2018-14020 - Cancel reply

Your email address will not be published.