CVE-2018-12579

20.08.2018, 22:29

An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x before 6.1.0; Professional Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0; and Community Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0. An attacker could gain access to the admin panel or a customer account when using the password reset function. To do so, it is required to own a domain name similar to the one the victim uses for their e-mail accounts.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.1 HIGH	NETWORK	HIGH	NONE	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 60%

Vendor	Product	Version
oxid-esales	eshop	𝑥 ≤ 4.10.7
oxid-esales	eshop	𝑥 ≤ 4.10.7
oxid-esales	eshop	𝑥 ≤ 5.3.7
oxid-esales	eshop	6.0.0:beta1
oxid-esales	eshop	6.0.0:beta1
oxid-esales	eshop	6.0.0:beta1
oxid-esales	eshop	6.0.0:beta2
oxid-esales	eshop	6.0.0:beta2
oxid-esales	eshop	6.0.0:beta2
oxid-esales	eshop	6.0.0:beta3
oxid-esales	eshop	6.0.0:beta3
oxid-esales	eshop	6.0.0:beta3
oxid-esales	eshop	6.0.0:rc1
oxid-esales	eshop	6.0.0:rc1
oxid-esales	eshop	6.0.0:rc1
oxid-esales	eshop	6.0.0:rc2
oxid-esales	eshop	6.0.0:rc2
oxid-esales	eshop	6.0.0:rc2
oxid-esales	eshop	6.0.2
oxid-esales	eshop	6.0.2
oxid-esales	eshop	6.0.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

References

https://bugs.oxid-esales.com/view.php?id=6818

https://oxidforge.org/en/security-bulletin-2018-002.html

https://bugs.oxid-esales.com/view.php?id=6818

https://oxidforge.org/en/security-bulletin-2018-002.html