Filtered by vendor Oxid-esales
Subscribe
Total
12 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-38330 | 1 Oxid-esales | 1 Eshop | 2023-12-10 | N/A | 5.3 MEDIUM |
| OXID eShop Enterprise Edition 6.5.0 – 6.5.2 before 6.5.3 allows uploading files with modified headers in the administration area. An attacker can upload a file with a modified header to create a HTTP Response Splitting attack. | |||||
| CVE-2019-17062 | 1 Oxid-esales | 1 Eshop | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop Community Edition Version: 4.9.x-4.10.x. By using a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel via session fixation. | |||||
| CVE-2019-13026 | 1 Oxid-esales | 1 Eshop | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading to full access by an attacker. This includes all shopping cart options, customer data, and the database. No interaction between the attacker and the victim is necessary. | |||||
| CVE-2018-12579 | 1 Oxid-esales | 1 Eshop | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x before 6.1.0; Professional Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0; and Community Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0. An attacker could gain access to the admin panel or a customer account when using the password reset function. To do so, it is required to own a domain name similar to the one the victim uses for their e-mail accounts. | |||||
| CVE-2018-20715 | 1 Oxid-esales | 1 Eshop | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| The DB abstraction layer of OXID eSales 4.10.6 is vulnerable to SQL injection via the oxid or synchoxid parameter to the oxConfig::getRequestParameter() method in core/oxconfig.php. | |||||
| CVE-2014-4919 | 1 Oxid-esales | 1 Eshop | 2023-12-10 | 5.8 MEDIUM | 5.4 MEDIUM |
| OXID eShop Professional Edition before 4.7.13 and 4.8.x before 4.8.7, Enterprise Edition before 5.0.13 and 5.1.x before 5.1.7, and Community Edition before 4.7.13 and 4.8.x before 4.8.7 allow remote attackers to assign users to arbitrary dynamical user groups. | |||||
| CVE-2017-12415 | 1 Oxid-esales | 1 Eshop | 2023-12-10 | 5.1 MEDIUM | 7.5 HIGH |
| OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x before 4.10.5 (maintenance), and 4.9.x before 4.9.10 (legacy), Enterprise Edition before 6.0.0 RC2 (development), 5.2.x before 5.2.10 (legacy), and 5.3.x before 5.3.5 (maintenance), and Professional Edition before 6.0.0 RC2 (development), 4.9.x before 4.9.10 (legacy) and 4.10.x before 4.10.5 (maintenance) allow remote attackers to hijack the cart session of a client via Cross-Site Request Forgery (CSRF) if the following pre-conditions are met: (1) the attacker knows which shop is presently used by the client, (2) the attacker knows the exact time when the customer will add product items to the cart, (3) the attacker knows which product items are already in the cart (has to know their article IDs), and (4) the attacker would be able to trick user into clicking a button (submit form) of an e-mail or remote site within the period of visiting the shop and placing an order. | |||||
| CVE-2018-5763 | 1 Oxid-esales | 1 Eshop | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in OXID eShop Enterprise Edition before 5.3.7 and 6.x before 6.0.1. By entering specially crafted URLs, an attacker is able to bring the shop server to a standstill and hence, it stops working. This is only valid if OXID High Performance Option is activated and Varnish is used. | |||||
| CVE-2017-14993 | 1 Oxid-esales | 1 Eshop | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition before 6.0.0 RC3 (development), 4.9.x before 4.9.11 (legacy) and 4.10.x before 4.10.6 (maintenance) allow remote attackers to crawl specially crafted URLs (aka "forced browsing") in order to overflow the database of the shop and consequently make it stop working. Prerequisite: the shop allows rendering empty categories to the storefront via an admin option. | |||||
| CVE-2015-6926 | 1 Oxid-esales | 1 Eshop | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| The OpenID Single Sign-On authentication functionality in OXID eShop before 4.5.0 allows remote attackers to impersonate users via the email address in a crafted authentication token. | |||||
| CVE-2014-2016 | 1 Oxid-esales | 1 Eshop | 2023-12-10 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in OXID eShop Professional and Community Edition 4.6.8 and earlier, 4.7.x before 4.7.11, and 4.8.x before 4.8.4, and Enterprise Edition 4.6.8 and earlier, 5.0.x before 5.0.11 and 5.1.x before 5.1.4 allow remote attackers to inject arbitrary web script or HTML via the searchtag parameter to the getTag function in (1) application/controllers/details.php or (2) application/controllers/tag.php. | |||||
| CVE-2013-5913 | 1 Oxid-esales | 1 Eshop | 2023-12-10 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the getRecommSearch function in recommlist.php in OXID eShop before 4.6.7, Professional and Community Edition 4.7.x before 4.7.8, and Enterprise Edition 5.x before 5.0.8 allows remote attackers to inject arbitrary web script or HTML via the searchrecomm parameter. | |||||