cbcvebase.

Oxid-Esales Eshop vulnerabilities

13 known vulnerabilities affecting oxid-esales/eshop.

Total CVEs
13
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH5MEDIUM6

Vulnerabilities

Page 1 of 1
CVE-2019-13026P3CRITICALCVSS 9.8≥ 6.0.0, < 6.0.5≥ 6.1.0, < 6.1.42019-07-30
CVE-2019-13026 [CRITICAL] CWE-89 CVE-2019-13026: OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading to full access by an attacker. This includes all shopping cart options, customer data, and the database. No interaction between the attacker and the victim is necessary.
nvd
CVE-2018-20715P3CRITICALCVSS 9.8v4.10.62019-01-15
CVE-2018-20715 [CRITICAL] CWE-89 CVE-2018-20715: The DB abstraction layer of OXID eSales 4.10.6 is vulnerable to SQL injection via the oxid or syncho The DB abstraction layer of OXID eSales 4.10.6 is vulnerable to SQL injection via the oxid or synchoxid parameter to the oxConfig::getRequestParameter() method in core/oxconfig.php.
nvd
CVE-2015-6926P3HIGHCVSS 7.5≥ 4.0.1.0, ≤ 4.4.82018-01-19
CVE-2015-6926 [HIGH] CWE-287 CVE-2015-6926: The OpenID Single Sign-On authentication functionality in OXID eShop before 4.5.0 allows remote atta The OpenID Single Sign-On authentication functionality in OXID eShop before 4.5.0 allows remote attackers to impersonate users via the email address in a crafted authentication token.
nvd
CVE-2018-12579P3HIGHCVSS 8.1≤ 4.10.7≤ 5.3.7+2 more2018-08-20
CVE-2018-12579 [HIGH] CWE-640 CVE-2018-12579: An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x before 6.1.0; Professional Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0; and Community Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0. An attacker could gain access to the admin panel or a custome
nvd
CVE-2019-17062P3HIGHCVSS 8.8≥ 4.9.0, ≤ 4.10.0≥ 5.2.0, ≤ 5.3.0+2 more2019-11-05
CVE-2019-17062 [HIGH] CWE-384 CVE-2019-17062: An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop Community Edition Version: 4.9.x-4.10.x. By using a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users
nvd
CVE-2017-14993P3HIGHCVSS 7.5≥ 4.9.0, < 4.9.11≥ 4.10.0, < 4.10.6+3 more2018-02-20
CVE-2017-14993 [HIGH] CWE-425 CVE-2017-14993: OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition before 6.0.0 RC3 (development), 4.9.x before 4.9.11 (legacy) and 4.10.x before
nvd
CVE-2014-2016P4MEDIUMCVSS 4.3PoC≤ 4.6.8≥ 4.7.0, < 4.7.11+3 more2014-03-25
CVE-2014-2016 [MEDIUM] CWE-79 CVE-2014-2016: Multiple cross-site scripting (XSS) vulnerabilities in OXID eShop Professional and Community Edition Multiple cross-site scripting (XSS) vulnerabilities in OXID eShop Professional and Community Edition 4.6.8 and earlier, 4.7.x before 4.7.11, and 4.8.x before 4.8.4, and Enterprise Edition 4.6.8 and earlier, 5.0.x before 5.0.11 and 5.1.x before 5.1.4 allow remote attackers to inject arbitrary web script or HTML via the searchtag parameter to the getTag
nvd
CVE-2017-12415P4HIGHCVSS 7.5≥ 4.9.0, < 4.9.10≥ 4.10.0, < 4.10.5+3 more2018-02-20
CVE-2017-12415 [HIGH] CWE-352 CVE-2017-12415: OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x before 4.10.5 (maintenance), and OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x before 4.10.5 (maintenance), and 4.9.x before 4.9.10 (legacy), Enterprise Edition before 6.0.0 RC2 (development), 5.2.x before 5.2.10 (legacy), and 5.3.x before 5.3.5 (maintenance), and Professional Edition before 6.0.0 RC2 (development), 4.9.x before 4.9.10 (legacy) and 4.10.x before
nvd
CVE-2018-5763P4MEDIUMCVSS 5.9fixed in 5.3.7v6.0.02018-02-19
CVE-2018-5763 [MEDIUM] CWE-20 CVE-2018-5763: An issue was discovered in OXID eShop Enterprise Edition before 5.3.7 and 6.x before 6.0.1. By enter An issue was discovered in OXID eShop Enterprise Edition before 5.3.7 and 6.x before 6.0.1. By entering specially crafted URLs, an attacker is able to bring the shop server to a standstill and hence, it stops working. This is only valid if OXID High Performance Option is activated and Varnish is used.
nvd
CVE-2023-38330P4MEDIUMCVSS 5.3≥ 6.5.0, < 6.5.32023-08-02
CVE-2023-38330 [MEDIUM] CWE-434 CVE-2023-38330: OXID eShop Enterprise Edition 6.5.0 – 6.5.2 before 6.5.3 allows uploading files with modified header OXID eShop Enterprise Edition 6.5.0 – 6.5.2 before 6.5.3 allows uploading files with modified headers in the administration area. An attacker can upload a file with a modified header to create a HTTP Response Splitting attack.
nvd
CVE-2014-4919P4MEDIUMCVSS 5.4fixed in 4.7.13≥ 4.8.0, < 4.8.7+2 more2018-01-19
CVE-2014-4919 [MEDIUM] CWE-264 CVE-2014-4919: OXID eShop Professional Edition before 4.7.13 and 4.8.x before 4.8.7, Enterprise Edition before 5.0. OXID eShop Professional Edition before 4.7.13 and 4.8.x before 4.8.7, Enterprise Edition before 5.0.13 and 5.1.x before 5.1.7, and Community Edition before 4.7.13 and 4.8.x before 4.8.7 allow remote attackers to assign users to arbitrary dynamical user groups.
nvd
CVE-2024-56526P4MEDIUMCVSS 4.9≤ 7.0.52025-05-13
CVE-2024-56526 [MEDIUM] CWE-200 CVE-2024-56526: An issue was discovered in OXID eShop before 7. CMS pages in combination with Smarty may display use An issue was discovered in OXID eShop before 7. CMS pages in combination with Smarty may display user information if a CMS page contains a Smarty syntax error.
nvd
CVE-2013-5913P4MEDIUMCVSS 4.3≤ 4.6.6v4.6.0+21 more2013-10-15
CVE-2013-5913 [MEDIUM] CWE-79 CVE-2013-5913: Cross-site scripting (XSS) vulnerability in the getRecommSearch function in recommlist.php in OXID e Cross-site scripting (XSS) vulnerability in the getRecommSearch function in recommlist.php in OXID eShop before 4.6.7, Professional and Community Edition 4.7.x before 4.7.8, and Enterprise Edition 5.x before 5.0.8 allows remote attackers to inject arbitrary web script or HTML via the searchrecomm parameter.
nvd
Oxid-Esales Eshop vulnerabilities | cvebase