The following vulnerability has been identified:
With a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel.
- until now, no 0-day exploit is known
- resolved, patch releases available on October 29th
- workaround available
An attacker could trick a user with administrative rights to click on a malformed URL in order to gain access to the administration panel of OXID eShop.
Affected products, releases and platforms
- OXID eShop Enterprise Edition (“EE”)
- OXID eShop Professional Edition (“PE”)
- OXID eShop Community Edition (“CE”)
- OXID eShop EE, PE and CE v6.0.0 – v6.0.5
- OXID eShop EE, PE and CE v6.1.0 – v6.1.4
- OXID eShop EE v5.3.x and 5.2.x
- OXID eShop PE and CE v4.10.x and 4.9.x
- Named above releases are affected on all platforms
The issue has been resolved in the following releases:
- OXID eShop Enterprise, Professional & Community Edition v6.1.5
- OXID eShop Enterprise, Professional & Community Edition v6.0.6
- OXID eShop Enterprise Edition v5.3 and v5.2 (only workaround/hotfix available)
- OXID eShop Professional & Community Edition v4.10 and 4.9 (only workaround/hotfix available)
- Please note that previous versions might be affected as well. However, it was not assessed nor will there be a workaround/fix for them.
Bug tracker entry (will remain in “private” state until November 5th): https://bugs.oxid-esales.com/view.php?id=7023
Please download the file from the list according to your OXID eShop version/edition and replace the existing file in your installation:
- /source/Application/Controller/Admin/LoginController.php (OXID eShop version >= v6)
- /application/controllers/admin/login.php (OXID eShop version < v6)
Use this hotfix in OXID eShop >= v6.x as a temporary solution only, and upgrade your shop to the latest version as soon as possible. The update will overwrite the hotfix.
This security issue was found by an IT consultant at ALDI SÜD. Thanks a lot for reporting!
To receive upcoming OXID Security Bulletins, please subscribe to the RSS feed: https://oxidforge.org/en/shop/development-security/feed.
Learn how to report security issues in the Security overview page.