CVE-2017-14993

moderate-risk
Published 2018-02-20

OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition before 6.0.0 RC3 (development), 4.9.x before 4.9.11 (legacy) and 4.10.x before 4.10.6 (maintenance) allow remote attackers to crawl specially crafted URLs (aka "forced browsing") in order to overflow the database of the shop and consequently make it stop working. Prerequisite: the shop allows rendering empty categories to the storefront via an admin option.

Do I need to act?

-
0.64% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (9)

Eshop
Eshop
Eshop
Eshop
Eshop
Eshop
Eshop
Eshop
Eshop

Affected Vendors

Oxid-Esales

References (4)

Vendor Advisory https://bugs.oxid-esales.com/view.php?id=6678
Patch https://oxidforge.org/en/security-bulletin-2017-002.html
Vendor Advisory https://bugs.oxid-esales.com/view.php?id=6678
Patch https://oxidforge.org/en/security-bulletin-2017-002.html
43
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 2/34 · Minimal
Exposure 15/34 · Moderate