Vulnerabilities > Oxid Esales

DATE CVE VULNERABILITY TITLE RISK
2023-08-02 CVE-2023-38330 Unrestricted Upload of File with Dangerous Type vulnerability in Oxid-Esales Eshop 6.5.0/6.5.2
OXID eShop Enterprise Edition 6.5.0 – 6.5.2 before 6.5.3 allows uploading files with modified headers in the administration area.
network
low complexity
oxid-esales CWE-434
5.3
2019-11-05 CVE-2019-17062 Session Fixation vulnerability in Oxid-Esales Eshop
An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop Community Edition Version: 4.9.x-4.10.x.
network
low complexity
oxid-esales CWE-384
8.8
2019-07-30 CVE-2019-13026 SQL Injection vulnerability in Oxid-Esales Eshop 6.0.0/6.0.2/6.1.0
OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading to full access by an attacker.
network
low complexity
oxid-esales CWE-89
critical
9.8
2019-01-15 CVE-2018-20715 SQL Injection vulnerability in Oxid-Esales Eshop 4.10.6
The DB abstraction layer of OXID eSales 4.10.6 is vulnerable to SQL injection via the oxid or synchoxid parameter to the oxConfig::getRequestParameter() method in core/oxconfig.php.
network
low complexity
oxid-esales CWE-89
critical
9.8
2018-08-20 CVE-2018-12579 Weak Password Recovery Mechanism for Forgotten Password vulnerability in Oxid-Esales Eshop
An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x before 6.1.0; Professional Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0; and Community Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0.
network
high complexity
oxid-esales CWE-640
8.1
2018-02-20 CVE-2017-14993 Forced Browsing vulnerability in Oxid-Esales Eshop
OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition before 6.0.0 RC3 (development), 4.9.x before 4.9.11 (legacy) and 4.10.x before 4.10.6 (maintenance) allow remote attackers to crawl specially crafted URLs (aka "forced browsing") in order to overflow the database of the shop and consequently make it stop working.
network
low complexity
oxid-esales CWE-425
7.5
2018-02-20 CVE-2017-12415 Cross-Site Request Forgery (CSRF) vulnerability in Oxid-Esales Eshop
OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x before 4.10.5 (maintenance), and 4.9.x before 4.9.10 (legacy), Enterprise Edition before 6.0.0 RC2 (development), 5.2.x before 5.2.10 (legacy), and 5.3.x before 5.3.5 (maintenance), and Professional Edition before 6.0.0 RC2 (development), 4.9.x before 4.9.10 (legacy) and 4.10.x before 4.10.5 (maintenance) allow remote attackers to hijack the cart session of a client via Cross-Site Request Forgery (CSRF) if the following pre-conditions are met: (1) the attacker knows which shop is presently used by the client, (2) the attacker knows the exact time when the customer will add product items to the cart, (3) the attacker knows which product items are already in the cart (has to know their article IDs), and (4) the attacker would be able to trick user into clicking a button (submit form) of an e-mail or remote site within the period of visiting the shop and placing an order.
network
high complexity
oxid-esales CWE-352
7.5
2018-02-19 CVE-2018-5763 Improper Input Validation vulnerability in Oxid-Esales Eshop
An issue was discovered in OXID eShop Enterprise Edition before 5.3.7 and 6.x before 6.0.1.
network
high complexity
oxid-esales CWE-20
5.9
2018-01-19 CVE-2015-6926 Improper Authentication vulnerability in Oxid-Esales Eshop
The OpenID Single Sign-On authentication functionality in OXID eShop before 4.5.0 allows remote attackers to impersonate users via the email address in a crafted authentication token.
network
low complexity
oxid-esales CWE-287
7.5
2018-01-19 CVE-2014-4919 Permissions, Privileges, and Access Controls vulnerability in Oxid-Esales Eshop
OXID eShop Professional Edition before 4.7.13 and 4.8.x before 4.8.7, Enterprise Edition before 5.0.13 and 5.1.x before 5.1.7, and Community Edition before 4.7.13 and 4.8.x before 4.8.7 allow remote attackers to assign users to arbitrary dynamical user groups.
network
low complexity
oxid-esales CWE-264
5.4