Security bulletins/2010-007

Released: December 13th

The following issue has been identified:

= Synopsis =

A possibility for XSS attack was found.

= State =

Resolved in OXID eShop version 4.4.5.

= Impact = By specially crafted JavaScript code, inserted in particular input fields in OXID eShop frontend, it's possible to execute unauthorized JavaScript code in eShop admin area. No exploits are known as of today.

= Affected products, releases and platforms =

Products:


 * OXID eShop Enterprise Edition
 * OXID eShop Professional Edition
 * OXID eShop Community Edition

Releases:


 * Professional, Enterprise and Community Edition: 4.0.0.0_13895, 4.0.0.0_13934, 4.0.0.0_14260, 4.0.0.1_14455, 4.0.0.2_14842, 4.0.0.2_14967, 4.0.1.0_15990, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.4.0, 4.4.1, 4.4.2, 4.4.3 and 4.4.4.

Platforms:


 * Above releases are affected on all platforms.

= Resolution =

The issue has been addressed in the following releases:


 * OXID eShop Professional Edition version 4.4.5
 * OXID eShop Enterprise Edition version 4.4.5
 * OXID eShop Community Edition version 4.4.5

= Credits =

The security issue has been found during one of our regular security audits.

= Stay up-to-date =

To receive upcoming OXID Security Bulletins, please subscribe to the mailing lists or the Announcement forum

= How to report security issues =

Learn how to report security issues in the Security overview page.