Security Bulletin 2019-002

The following vulnerability has been identified:

Synopsis

With a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel.

State

  • until now, no 0-day exploit is known
  • resolved, patch releases available on October 29th
  • workaround available

Impact

An attacker could trick a user with administrative rights to click on a malformed URL in order to gain access to the administration panel of OXID eShop.

Affected products, releases and platforms

Products:

  • OXID eShop Enterprise Edition (“EE”)
  • OXID eShop Professional Edition (“PE”)
  • OXID eShop Community Edition (“CE”)

Releases:

  • OXID eShop EE, PE and CE v6.0.0 – v6.0.5
  • OXID eShop EE, PE and CE v6.1.0 – v6.1.4
  • OXID eShop EE v5.3.x and 5.2.x
  • OXID eShop PE and CE v4.10.x and 4.9.x

Platforms:

  • Named above releases are affected on all platforms

Resolution

The issue has been resolved in the following releases:

  • OXID eShop Enterprise, Professional & Community Edition v6.1.5
  • OXID eShop Enterprise, Professional & Community Edition v6.0.6
  • OXID eShop Enterprise Edition v5.3 and v5.2 (only workaround/hotfix available)
  • OXID eShop Professional & Community Edition v4.10 and 4.9 (only workaround/hotfix available)
  • Please note that previous versions might be affected as well. However, it was not assessed nor will there be a workaround/fix for them.

Bug tracker entry (will remain in “private” state until November 5th): https://bugs.oxid-esales.com/view.php?id=7023

Workarounds

Please download the file from the list according to your OXID eShop version/edition and replace the existing file in your installation:

Use this hotfix in OXID eShop >= v6.x as a temporary solution only, and upgrade your shop to the latest version as soon as possible. The update will overwrite the hotfix.

Credits

This security issue was found by an IT consultant at ALDI SÜD. Thanks a lot for reporting!

Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the RSS feed: https://oxidforge.org/en/shop/development-security/feed.

How to report security issues

Learn how to report security issues in the Security overview page.



Start the discussion at OXID forums

Prior comments
1 reply

Trackbacks & Pingbacks

  1. […] Kritische Sicherheitslücke: Security Bulletins 2019-001 Security Bulletins 2019-002 […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *