Security bulletins/2014-001

This bulletin has been assigned a CVE identifier of CVE-2014-2016 CVSS score 4.2 Released: March 11th, 2014

The following issue has been identified:

= Synopsis =

An XSS vulnerability was found.

= State =


 * Resolved in OXID eShop version 4.7.11/5.0.11. and OXID eShop version 4.8.4/5.1.4.
 * A fix for OXID eShop version 4.6.8 is available.
 * Please see the proposed workaround for older Versions of OXID eShop.

= Impact =

Under certain circumstances, an attacker can trick a user to enter a specially crafted URI or click on a mal-formed link to exploit a cross-site scripting vulnerability that theoretically can be used to gain unauthorized access to a user account or collect sensitive information of this user.

No exploits are known as of today.

= Affected products, releases and platforms =

Products:


 * OXID eShop Enterprise Edition
 * OXID eShop Professional Edition
 * OXID eShop Community Edition

Releases:


 * All previous releases

Platforms:


 * All releases are affected on all platforms.

= Resolution =

The issue has been addressed in the following patch releases (estimated on FEB 25th):


 * OXID eShop Professional Edition version 4.7.11 and 4.8.4
 * OXID eShop Enterprise Edition version 5.0.11 and 5.1.4
 * OXID eShop Community Edition version 4.7.11 and 4.8.4

and as a fix for the following versions:


 * OXID eShop Professional Edition version 4.6.8
 * OXID eShop Enterprise Edition version 4.6.8
 * OXID eShop Community Edition version 4.6.8

Bug tracker entry: https://bugs.oxid-esales.com/view.php?id=5611

Workaround
1. Please find the public function getTag around line 1019 in application/controllers/details.php (views/details.php in former versions).

Replace the line

return oxConfig::getParameter("searchtag", 1);

with

return oxConfig::getParameter("searchtag", false);

2. and the public function getTag around line 252 in application/controllers/tag.php (views/tag.php in former versions).

Replace the line

$this-&gt;_sTag = oxConfig::getParameter("searchtag", 1);

with

$this-&gt;_sTag = oxConfig::getParameter("searchtag", false);

= Credits =

Many thanks to Heiko Frenzel for the hint!

= Stay up-to-date =

To receive upcoming OXID Security Bulletins, please subscribe to the mailing lists or the Announcement forum

= How to report security issues =

Learn how to report security issues in the Security overview page.