CVE-2017-14993
HIGHOXID eShop <6.0.0 RC3, <4.10.6, <4.9.11 - Info Disclosure
Title source: llmDescription
OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition before 6.0.0 RC3 (development), 4.9.x before 4.9.11 (legacy) and 4.10.x before 4.10.6 (maintenance) allow remote attackers to crawl specially crafted URLs (aka "forced browsing") in order to overflow the database of the shop and consequently make it stop working. Prerequisite: the shop allows rendering empty categories to the storefront via an admin option.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://bugs.oxid-esales.com/view.php?id=6678
Patch, Vendor Advisory x_refsource_confirm
https://oxidforge.org/en/security-bulletin-2017-002.html
Scores
CVSS v3
7.5
EPSS
0.0123
EPSS Percentile
64.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-425
Status
published
Products (3)
oxid-esales/eshop
6.0.0 rc1 (6 CPE variants)
oxid-esales/eshop
4.9.0 - 4.9.11 (2 CPE variants)
oxid-esales/eshop
5.2.0 - 5.2.11
Published
Feb 20, 2018
Tracked Since
Feb 18, 2026