CVE Vulnerabilities

CVE-2017-14993

Direct Request ('Forced Browsing')

Published: Feb 20, 2018 | Modified: Oct 03, 2019
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P
RedHat/V2
RedHat/V3
Ubuntu

OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition before 6.0.0 RC3 (development), 4.9.x before 4.9.11 (legacy) and 4.10.x before 4.10.6 (maintenance) allow remote attackers to crawl specially crafted URLs (aka forced browsing) in order to overflow the database of the shop and consequently make it stop working. Prerequisite: the shop allows rendering empty categories to the storefront via an admin option.

Weakness

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Affected Software

Name Vendor Start Version End Version
Eshop Oxid-esales 6.0.0 6.0.0
Eshop Oxid-esales 6.0.0 6.0.0
Eshop Oxid-esales 6.0.0 6.0.0
Eshop Oxid-esales 6.0.0 6.0.0
Eshop Oxid-esales 5.3.0 *
Eshop Oxid-esales 5.2.0 *
Eshop Oxid-esales 6.0.0 6.0.0
Eshop Oxid-esales 4.9.0 *
Eshop Oxid-esales 4.10.0 *
Eshop Oxid-esales 6.0.0 6.0.0
Eshop Oxid-esales 4.10.0 *
Eshop Oxid-esales 4.9.0 *

Potential Mitigations

References