CVE-2017-14993

HIGH

OXID eShop <6.0.0 RC3, <4.10.6, <4.9.11 - Info Disclosure

Title source: llm

Description

OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition before 6.0.0 RC3 (development), 4.9.x before 4.9.11 (legacy) and 4.10.x before 4.10.6 (maintenance) allow remote attackers to crawl specially crafted URLs (aka "forced browsing") in order to overflow the database of the shop and consequently make it stop working. Prerequisite: the shop allows rendering empty categories to the storefront via an admin option.

References (2)

[Vendor Advisory] https://bugs.oxid-esales.com/view.php?id=6678

[Patch, Vendor Advisory] https://oxidforge.org/en/security-bulletin-2017-002.html

Scores

CVSS v3 7.5

EPSS 0.0064

EPSS Percentile 70.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-425

Status published

Products (3)

oxid-esales/eshop 6.0.0 rc1 (6 CPE variants)

oxid-esales/eshop 4.9.0 - 4.9.11 (2 CPE variants)

oxid-esales/eshop 5.2.0 - 5.2.11

Published Feb 20, 2018

Tracked Since Feb 18, 2026