Security Bulletin 2019-002

The following vulnerability has been identified:


With a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel.


  • until now, no 0-day exploit is known
  • resolved, patch releases available on October 29th
  • workaround available


An attacker could trick a user with administrative rights to click on a malformed URL in order to gain access to the administration panel of OXID eShop.

Affected products, releases and platforms


  • OXID eShop Enterprise Edition (“EE”)
  • OXID eShop Professional Edition (“PE”)
  • OXID eShop Community Edition (“CE”)


  • OXID eShop EE, PE and CE v6.0.0 – v6.0.5
  • OXID eShop EE, PE and CE v6.1.0 – v6.1.4
  • OXID eShop EE v5.3.x and 5.2.x
  • OXID eShop PE and CE v4.10.x and 4.9.x


  • Named above releases are affected on all platforms


The issue has been resolved in the following releases:

  • OXID eShop Enterprise, Professional & Community Edition v6.1.5
  • OXID eShop Enterprise, Professional & Community Edition v6.0.6
  • OXID eShop Enterprise Edition v5.3 and v5.2 (only workaround/hotfix available)
  • OXID eShop Professional & Community Edition v4.10 and 4.9 (only workaround/hotfix available)
  • Please note that previous versions might be affected as well. However, it was not assessed nor will there be a workaround/fix for them.

Bug tracker entry (will remain in “private” state until November 5th):


Please download the file from the list according to your OXID eShop version/edition and replace the existing file in your installation:

Use this hotfix in OXID eShop >= v6.x as a temporary solution only, and upgrade your shop to the latest version as soon as possible. The update will overwrite the hotfix.


This security issue was found by an IT consultant at ALDI SÜD. Thanks a lot for reporting!

Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the RSS feed:

How to report security issues

Learn how to report security issues in the Security overview page.

3 replies

Trackbacks & Pingbacks

  1. […] Security Bulletin 2019-002 with more details is prepared and will be published on November 5th to give you some time for fixing your installations. For any request, we left comments function open in the forum discussion for this post – feel free 😉 […]

  2. […] Kritische Sicherheitslücke: Security Bulletins 2019-001 Security Bulletins 2019-002 […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.