CVE-2014-2016

OXID eShop <4.7.11, <4.8.4, <5.0.11, <5.1.4 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-2016.

AI-analyzed exploit summary This document provides a detailed technical analysis of multiple vulnerabilities in OXID eShop, including XSS and CRLF injection/HTTP response splitting. It includes specific attack vectors, affected parameters, and proof-of-concept URI/POST request examples.

Description

Multiple cross-site scripting (XSS) vulnerabilities in OXID eShop Professional and Community Edition 4.6.8 and earlier, 4.7.x before 4.7.11, and 4.8.x before 4.8.4, and Enterprise Edition 4.6.8 and earlier, 5.0.x before 5.0.11 and 5.1.x before 5.1.4 allow remote attackers to inject arbitrary web script or HTML via the searchtag parameter to the getTag function in (1) application/controllers/details.php or (2) application/controllers/tag.php.

Exploits (1)

exploitdb WRITEUP
webappsphp
https://www.exploit-db.com/exploits/32375

This document provides a detailed technical analysis of multiple vulnerabilities in OXID eShop, including XSS and CRLF injection/HTTP response splitting. It includes specific attack vectors, affected parameters, and proof-of-concept URI/POST request examples.

Classification
Writeup 95%
Attack Type
Xss | Info Leak | Other
Complexity
Moderate
Reliability
Theoretical
Target: OXID eShop < 4.7.11/5.0.11 and < 4.8.4/5.1.4
No auth needed
Prerequisites: User interaction (clicking a malformed link or entering a crafted URI)
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2
Core References
Vendor Advisory x_refsource_confirm
http://wiki.oxidforge.org/Security_bulletins/2014-001
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/57438

Scores

EPSS 0.0147
EPSS Percentile 70.4%

Details

CWE
CWE-79
Status published
Products (1)
oxid-esales/eshop < 4.6.8 (3 CPE variants)
Published Mar 25, 2014
Tracked Since Feb 18, 2026