CVE-2018-12579

HIGH

OXID eShop <5.3.8,6.0.x<6.0.3,6.1.x<6.1.0 - Auth Bypass

Title source: llm

Description

An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x before 6.1.0; Professional Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0; and Community Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0. An attacker could gain access to the admin panel or a customer account when using the password reset function. To do so, it is required to own a domain name similar to the one the victim uses for their e-mail accounts.

References (2)

[Vendor Advisory] https://bugs.oxid-esales.com/view.php?id=6818

[Patch, Third Party Advisory] https://oxidforge.org/en/security-bulletin-2018-002.html

Scores

CVSS v3 8.1

EPSS 0.0042

EPSS Percentile 62.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-640

Status published

Products (4)

oxid-esales/eshop 6.0.0 beta1 (15 CPE variants)

oxid-esales/eshop 6.0.2 (3 CPE variants)

oxid-esales/eshop < 4.10.7 (2 CPE variants)

oxid-esales/eshop < 5.3.7

Published Aug 20, 2018

Tracked Since Feb 18, 2026