First published: Tue Nov 05 2019(Updated: )
An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop Community Edition Version: 4.9.x-4.10.x. By using a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel via session fixation.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Oxid-esales Eshop | >=4.9.0<=4.10.0 | |
Oxid-esales Eshop | >=4.9.0<=4.10.0 | |
Oxid-esales Eshop | >=5.2.0<=5.3.0 | |
Oxid-esales Eshop | >=6.0.0<6.0.6 | |
Oxid-esales Eshop | >=6.0.0<6.0.6 | |
Oxid-esales Eshop | >=6.0.0<6.0.6 | |
Oxid-esales Eshop | >=6.1.0<6.1.5 | |
Oxid-esales Eshop | >=6.1.0<6.1.5 | |
Oxid-esales Eshop | >=6.1.0<6.1.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this issue in OXID eShop is CVE-2019-17062.
The severity level of CVE-2019-17062 is high with a score of 8.8.
OXID eShop versions 4.9.x-4.10.x (Community Edition), 4.9.x-4.10.x (Professional Edition), 5.2.x-5.3.x (Enterprise Edition), 6.0.0-6.0.6 (Community and Enterprise Editions), and 6.1.0-6.1.5 (Community and Enterprise Editions) are affected by CVE-2019-17062.
By using a specially crafted URL, users with administrative rights can exploit CVE-2019-17062.
You can find more information about CVE-2019-17062 in the official security bulletin: https://oxidforge.org/en/security-bulletin-2019-002.html