VYPR
Vendor

Oxid

Products
11
CVEs
21
Across products
36
Status
Private

Products

11

Recent CVEs

21
View all 21 CVEs →
  • CVE-2016-5072HigApr 10, 2017
    risk 0.57cvss 8.8epss 0.02

    OXID eShop before 2016-06-13 allows remote attackers to execute arbitrary code via a GET or POST request to the oxuser class. Fixed versions are Enterprise Edition v5.1.12, Enterprise Edition v5.2.9, Professional Edition v4.8.12, Professional Edition v4.9.9, Community Edition…

  • CVE-2019-25260HigFeb 3, 2026
    risk 0.53cvss 8.2epss 0.00

    OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database…

  • CVE-2018-12579HigAug 20, 2018
    risk 0.53cvss 8.1epss 0.01

    An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x before 6.1.0; Professional Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0; and Community Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x…

  • CVE-2017-14993HigFeb 20, 2018
    risk 0.49cvss 7.5epss 0.01

    OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition…

  • CVE-2017-12415HigFeb 20, 2018
    risk 0.49cvss 7.5epss 0.01

    OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x before 4.10.5 (maintenance), and 4.9.x before 4.9.10 (legacy), Enterprise Edition before 6.0.0 RC2 (development), 5.2.x before 5.2.10 (legacy), and 5.3.x before 5.3.5 (maintenance), and Professional Edition…

  • CVE-2014-2017MedJan 18, 2018
    risk 0.43cvss 6.1epss 0.02

    CRLF injection vulnerability in OXID eShop Professional Edition before 4.7.11 and 4.8.x before 4.8.4, Enterprise Edition before 5.0.11 and 5.1.x before 5.1.4, and Community Edition before 4.7.11 and 4.8.x before 4.8.4 allows remote attackers to inject arbitrary HTTP headers and…

  • CVE-2018-5763MedFeb 19, 2018
    risk 0.38cvss 5.9epss 0.01

    An issue was discovered in OXID eShop Enterprise Edition before 5.3.7 and 6.x before 6.0.1. By entering specially crafted URLs, an attacker is able to bring the shop server to a standstill and hence, it stops working. This is only valid if OXID High Performance Option is…

  • CVE-2014-4919MedJan 19, 2018
    risk 0.35cvss 5.4epss 0.01

    OXID eShop Professional Edition before 4.7.13 and 4.8.x before 4.8.7, Enterprise Edition before 5.0.13 and 5.1.x before 5.1.7, and Community Edition before 4.7.13 and 4.8.x before 4.8.7 allow remote attackers to assign users to arbitrary dynamical user groups.

  • CVE-2008-5405Dec 10, 2008
    risk 0.07cvss epss 0.47

    Stack-based buffer overflow in the RDP protocol password decoder in Cain & Abel 4.9.23 and 4.9.24, and possibly earlier, allows remote attackers to execute arbitrary code via an RDP file containing a long string.

  • CVE-2014-2016Mar 25, 2014
    risk 0.03cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in OXID eShop Professional and Community Edition 4.6.8 and earlier, 4.7.x before 4.7.11, and 4.8.x before 4.8.4, and Enterprise Edition 4.6.8 and earlier, 5.0.x before 5.0.11 and 5.1.x before 5.1.4 allow remote attackers to…

  • CVE-2024-56526May 13, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in OXID eShop before 7. CMS pages in combination with Smarty may display user information if a CMS page contains a Smarty syntax error.

  • CVE-2023-38330Aug 2, 2023
    risk 0.00cvss epss 0.00

    OXID eShop Enterprise Edition 6.5.0 – 6.5.2 before 6.5.3 allows uploading files with modified headers in the administration area. An attacker can upload a file with a modified header to create a HTTP Response Splitting attack.

  • CVE-2023-26260Apr 11, 2023
    risk 0.00cvss epss 0.00

    OXID eShop 6.2.x before 6.4.4 and 6.5.x before 6.5.2 allows session hijacking, leading to partial access of a customer's account by an attacker, due to an improper check of the user agent.

  • CVE-2019-17062Nov 5, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop Community Edition Version: 4.9.x-4.10.x. By using a specially crafted URL, users…

  • CVE-2019-13026Jul 30, 2019
    risk 0.00cvss epss 0.01

    OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading to full access by an attacker. This includes all shopping cart options, customer data, and the database. No interaction between the attacker and the victim is necessary.

  • CVE-2018-20715Jan 15, 2019
    risk 0.00cvss epss 0.01

    The DB abstraction layer of OXID eSales 4.10.6 is vulnerable to SQL injection via the oxid or synchoxid parameter to the oxConfig::getRequestParameter() method in core/oxconfig.php.

  • CVE-2013-5913Oct 15, 2013
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the getRecommSearch function in recommlist.php in OXID eShop before 4.6.7, Professional and Community Edition 4.7.x before 4.7.8, and Enterprise Edition 5.x before 5.0.8 allows remote attackers to inject arbitrary web script or HTML…

  • CVE-2009-3113Sep 9, 2009
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in OXID eShop Professional, Enterprise, and Community Edition before 4.1.2, 3.x, and 2.x allows remote attackers to gain write access to product reviews via a crafted parameter.

  • CVE-2009-3112Sep 9, 2009
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in OXID eShop Professional, Enterprise, and Community Edition before 4.1.0 allows remote attackers to gain administrator privileges and access the shop backend via a crafted parameter.

  • CVE-2009-2266Sep 9, 2009
    risk 0.00cvss epss 0.01

    OXID eShop 4.x before 4.1.4-21266, 3.x, and 2.x allows remote attackers to obtain sensitive information (session details and order history of other users) via a crafted cookie.