OXIDwiki

Security bulletins/2013-001

From OXIDwiki

Jump to: navigation, search
PAGE_TITLE: T1hJRCBlU2FsZXMgQUcgU2VjdXJpdHkgQnVsbGV0aW4gMjAxMy0wMDE=

This bulletin has been assigned a CVE identifier of CVE-2013-5913
CVSS score 2.1
Released: October 8th, 2013

The following issue has been identified:


Contents

Synopsis

A XSS vulnerability was found.


State

Resolved in OXID eShop Professional and Community Edition version 4.7.8 and OXID eShop Enterprise Edition version 5.0.8. Will be resolved in OXID eShop all editions with version 4.6.7 of the former series.

Impact

Under certain circumstances, an attacker can trick a user to enter a specially crafted URI or click on a mal-formed link to exploit a cross-site scripting vulnerability that theoretically can be used to gain unauthorized access to a user account or collect sensitive information of this user.

No exploits are known as of today.


Affected products, releases and platforms

Products:

  • OXID eShop Professional Edition
  • OXID eShop Enterprise Edition
  • OXID eShop Community Edition

Releases:

  • All previous releases

Platforms:

  • All platforms


Resolution

The issue has been addressed in the following releases:

  • OXID eShop Professional Edition version 4.7.8
  • OXID eShop Community Edition version 4.7.8
  • OXID eShop Enterprise Edition version 5.0.8

Bug tracker entry: https://bugs.oxid-esales.com/view.php?id=5404


Workaround:

Please find the public function getRecommSearch() around line 388 in application/controllers/recommlist.php (views/recommlist.php in former versions).

Replace the line

if ( $sSearch = oxConfig::getParameter( 'searchrecomm', true ) ) {

with

if ( $sSearch = oxConfig::getParameter( 'searchrecomm', false ) ) {


Credits

The security issue has been reported by Adrian Märtins (SysEleven GmbH).


Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the mailing lists or the Announcement forum


How to report security issues

Learn how to report security issues in the Security overview page.

Personal tools