Security bulletins/2010-005

Released: October 20th, 2010

The following issue has been identified:

= Synopsis =

We found the possibility of sql injection.

= State =

Resolved in OXID eShop version 4.4.3.

= Impact = By sending a specially crafted code to special forms, unauthorized users may gain access to the shop database.

No exploits are known as of today.

= Affected products, releases and platforms =

Products:


 * OXID eShop Professional Edition
 * OXID eShop Enterprise Edition
 * OXID eShop Community Edition

Releases:


 * Professional, Enterprise and Community Edition: 4.4.0, 4.4.1 and 4.4.2

Platforms:


 * Above releases are affected on all platforms.

= Resolution =

The issue has been addressed in the following releases:


 * OXID eShop Professional Edition version 4.4.3
 * OXID eShop Enterprise Edition version 4.4.3
 * OXID eShop Community Edition version 4.4.3

= Credits =

The security issue has been found during one of our regular security audits.

= Stay up-to-date =

To receive upcoming OXID Security Bulletins, please subscribe to the mailing lists or the Announcement forum

= How to report security issues =

Learn how to report security issues in the Security overview page.