An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop Community Edition Version: 4.9.x-4.10.x. By using a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel via session fixation.
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Eshop | Oxid-esales | 4.9.0 (including) | 4.10.0 (including) |
| Eshop | Oxid-esales | 5.2.0 (including) | 5.3.0 (including) |
| Eshop | Oxid-esales | 6.0.0 (including) | 6.0.6 (excluding) |
| Eshop | Oxid-esales | 6.1.0 (including) | 6.1.5 (excluding) |
Such a scenario is commonly observed when: