Security bulletins/2011-002

Released: 02/03/11

The following issue has been identified:

= Synopsis =

A possibility to capture the session was found.

= State =

Resolved in OXID eShop version 4.4.6.

= Impact = In some special cases when several users are working on the same place in eShop frontend, it's possible to capture the session of other user. No exploits are known as of today.

= Affected products, releases and platforms =

Products:


 * OXID eShop Enterprise Edition

Releases:


 * Enterprise Edition: 4.0.0.0_13895, 4.0.0.0_13934, 4.0.0.0_14260, 4.0.0.1_14455, 4.0.0.2_14842, 4.0.0.2_14967, 4.0.1.0_15990, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4 and 4.4.5.

Platforms:


 * Above releases are affected on all platforms.

= Resolution =

The issue has been addressed in the following releases:


 * OXID eShop Enterprise Edition version 4.4.6

= Credits =

The security issue has been found during one of our regular security audits.

= Stay up-to-date =

To receive upcoming OXID Security Bulletins, please subscribe to the mailing lists or the Announcement forum

= How to report security issues =

Learn how to report security issues in the Security overview page.