CVE-2019-25260

EUVD-2019-19383
OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute arbitrary code through crafted URLs.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
VulnCheckCNA
8.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
Common Weakness Enumeration
References
https://bugs.oxid-esales.com/view.php?id=7002
https://github.com/OXID-eSales/oxideshop_ce
https://web.archive.org/web/20190731211638/https://blog.ripstech.com/2019/oxid-esales-shop-software/
https://web.archive.org/web/20201020223434/https://www.vulnspy.com/en-oxid-eshop-6.x-sqli-to-rce/
https://www.exploit-db.com/exploits/48527
https://www.oxid-esales.com/
https://www.vulncheck.com/advisories/oxid-eshop-sorting-sql-injection