This bulletin has been assigned a CVE identifier of CVE-2009-2266.
Released: August 11th, 2009
As part of our regular security audit, the following issue has been identified:
Specially crafted cookie can lead to unauthorized access to session information of unregistered users.
Resolved in current OXID eShop release 4.1.4-21266. Fix for previous major releases will be available soon.
By sending a specially crafted cookie, unauthorized users may gain access to session information of unregistered users. Session information includes the users details and order history.
No exploits are known as of today.
Affected products, releases and platforms
- OXID eShop Professional Edition
- OXID eShop Enterprise Edition
- OXID eShop Community Edition
- Professional, Enterprise and Community Edition: 188.8.131.52_13895, 184.108.40.206_13934, 220.127.116.11_14260, 18.104.22.168_14455, 22.214.171.124_14842, 126.96.36.199_14967, 188.8.131.52_15990, 4.1.0-17976, 4.1.1-18442, 4.1.2-18998, 4.1.3-19918
- Enterprise Edition: in addition to the above, all 2.x versions
- Professional Edition: in addition to the above, all 3.x versions
- Above releases are affected on all platforms.
Note: Older releases than the ones mentioned might as well be affected. They are considered end of life and will not be supported.
The issue has been addressed in the following releases:
- OXID eShop Professional Edition version 4.1.4-21266
- OXID eShop Enterprise Edition version 4.1.4-21266
- OXID eShop Community Edition version 4.1.4-21266
For the legacy release OXID eShop Professional Edition 184.108.40.206 and Enterprise Edition 220.127.116.11, a separate fix will be made available shortly after the release of this security bulletin.
Note: Users of the legacy < 18.104.22.168 and < 22.214.171.124 releases will first have to install the latest update in order to apply the fix.
The security issue has been found during one of our regular security audits.
How to report security issues
Learn how to report security issues in the Security overview page.