CVE-2014-2017

MEDIUM

OXID eShop <4.7.11-4.8.4, <5.0.11-5.1.4 - CRLF Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-2017. PoCs published by //sToRm.

AI-analyzed exploit summary The document describes multiple vulnerabilities in OXID eShop, including XSS and CRLF injection/HTTP response splitting. It provides detailed concepts and sample payloads for exploitation but does not include executable exploit code.

Description

CRLF injection vulnerability in OXID eShop Professional Edition before 4.7.11 and 4.8.x before 4.8.4, Enterprise Edition before 5.0.11 and 5.1.x before 5.1.4, and Community Edition before 4.7.11 and 4.8.x before 4.8.4 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Exploits (1)

exploitdb WRITEUP
by //sToRm · textwebappsphp
https://www.exploit-db.com/exploits/32375

The document describes multiple vulnerabilities in OXID eShop, including XSS and CRLF injection/HTTP response splitting. It provides detailed concepts and sample payloads for exploitation but does not include executable exploit code.

Classification
Writeup 90%
Attack Type
Xss | Other
Complexity
Moderate
Reliability
Theoretical
Target: OXID eShop < 4.7.11/5.0.11 and < 4.8.4/5.1.4
No auth needed
Prerequisites: User interaction (e.g., clicking a malformed link)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugs.oxid-esales.com/view.php?id=5635
Patch, Vendor Advisory x_refsource_confirm
https://oxidforge.org/en/security-bulletin-2014-002.html

Scores

CVSS v3 6.1
EPSS 0.0245
EPSS Percentile 82.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-93
Status published
Products (2)
oxidforge/eshop < 4.7.11 (2 CPE variants)
oxidforge/eshop < 5.0.11
Published Jan 18, 2018
Tracked Since Feb 18, 2026