A vulnerability was found in Oxid eShop (affected version not known). It has been rated as critical. This issue affects the function oxuser. The manipulation with an unknown input leads to a code injection vulnerability. Using CWE to declare the problem leads to CWE-94. The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

OXID eShop before 2016-06-13 allows remote attackers to execute arbitrary code via a GET or POST request to the oxuser class. Fixed versions are Enterprise Edition v5.1.12, Enterprise Edition v5.2.9, Professional Edition v4.8.12, Professional Edition v4.9.9, Community Edition v4.8.12, Community Edition v4.9.9.

The bug was discovered 06/13/2016. The weakness was released 04/10/2017 (Website). The advisory is shared at oxidforge.org. The identification of this vulnerability is CVE-2016-5072 since 05/26/2016. The attack may be initiated remotely. A simple authentication is required for exploitation. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1059 for this issue.

The vulnerability was handled as a non-public zero-day exploit for at least 300 days. During that time the estimated underground price was around $0-$5k.

Upgrading eliminates this vulnerability.

Productinfo

Vendor

• Oxid

Name

• eShop

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion