CVE-2017-14993

EUVD-2017-6469
OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition before 6.0.0 RC3 (development), 4.9.x before 4.9.11 (legacy) and 4.10.x before 4.10.6 (maintenance) allow remote attackers to crawl specially crafted URLs (aka "forced browsing") in order to overflow the database of the shop and consequently make it stop working. Prerequisite: the shop allows rendering empty categories to the storefront via an admin option.
Forced Browsing
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 70%
Affected Products (NVD)
VendorProductVersion
oxid-esaleseshop
4.9.0 ≤
𝑥
< 4.9.11
oxid-esaleseshop
4.9.0 ≤
𝑥
< 4.9.11
oxid-esaleseshop
4.10.0 ≤
𝑥
< 4.10.6
oxid-esaleseshop
4.10.0 ≤
𝑥
< 4.10.6
oxid-esaleseshop
5.2.0 ≤
𝑥
< 5.2.11
oxid-esaleseshop
5.3.0 ≤
𝑥
< 5.3.6
oxid-esaleseshop
6.0.0:rc1
oxid-esaleseshop
6.0.0:rc1
oxid-esaleseshop
6.0.0:rc1
oxid-esaleseshop
6.0.0:rc2
oxid-esaleseshop
6.0.0:rc2
oxid-esaleseshop
6.0.0:rc2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://bugs.oxid-esales.com/view.php?id=6678
https://oxidforge.org/en/security-bulletin-2017-002.html
https://bugs.oxid-esales.com/view.php?id=6678
https://oxidforge.org/en/security-bulletin-2017-002.html