← Back

CVE-2017-14993

nvd nist
Published: Feb 20, 2018Modified: Nov 21, 2024

JSON object

Loading...
7.5
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Exploitability: 3.9 / Impact: 3.6
Source: NVD

Description

OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition before 6.0.0 RC3 (development), 4.9.x before 4.9.11 (legacy) and 4.10.x before 4.10.6 (maintenance) allow remote attackers to crawl specially crafted URLs (aka "forced browsing") in order to overflow the database of the shop and consequently make it stop working. Prerequisite: the shop allows rendering empty categories to the storefront via an admin option.

Affected (12)

Products: Oxid Esales: Eshop
Oxid Esales
1 product
Eshop
Configuration A
12 vulnerable
Vulnerable SoftwareAffected Versions
Oxid Esales
Eshop
From 4.10.0 to 4.10.6
Eshop
From 4.9.0 to 4.9.11
Eshop
From 5.2.0 to 5.2.11
Eshop
From 5.3.0 to 5.3.6
Eshop
From 4.10.0 to 4.10.6
Eshop
From 4.9.0 to 4.9.11
Eshop
Version 6.0.0 rc1
Eshop
Version 6.0.0 rc1
Eshop
Version 6.0.0 rc1
Eshop
Version 6.0.0 rc2
Eshop
Version 6.0.0 rc2
Eshop
Version 6.0.0 rc2

Related CWEs

CWE-425
Direct Request ('Forced Browsing')
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

References (4)

Source: cve@mitre.org
Vendor Advisory
Source: cve@mitre.org
PatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchVendor Advisory

Timeline

No history available yet.