CVE-2016-5072

EPSS 2.04%
Veröffentlicht 10.04.2017 03:59:01
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle cret@cert.org
CVE-Watchlists
Login
Unerledigt
Login

OXID eShop before 2016-06-13 allows remote attackers to execute arbitrary code via a GET or POST request to the oxuser class. Fixed versions are Enterprise Edition v5.1.12, Enterprise Edition v5.2.9, Professional Edition v4.8.12, Professional Edition v4.9.9, Community Edition v4.8.12, Community Edition v4.9.9.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Oxidforge ≫ Oxid Eshop SwEditioncommunity Version <= 4.9.8

Oxidforge ≫ Oxid Eshop SwEditionprofessional Version <= 4.9.8

Oxidforge ≫ Oxid Eshop SwEditionenterprise Version <= 5.2.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.04%	0.833

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://oxidforge.org/en/security-bulletin-2016-001.html

Patch

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2016-5072

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-5072

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-5072

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2016-5072