7.5

CVE-2017-14993

OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition before 6.0.0 RC3 (development), 4.9.x before 4.9.11 (legacy) and 4.10.x before 4.10.6 (maintenance) allow remote attackers to crawl specially crafted URLs (aka "forced browsing") in order to overflow the database of the shop and consequently make it stop working. Prerequisite: the shop allows rendering empty categories to the storefront via an admin option.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Oxid-esalesEshop SwEditioncommunity Version >= 4.9.0 < 4.9.11
Oxid-esalesEshop SwEditionprofessional Version >= 4.9.0 < 4.9.11
Oxid-esalesEshop SwEditioncommunity Version >= 4.10.0 < 4.10.6
Oxid-esalesEshop SwEditionprofessional Version >= 4.10.0 < 4.10.6
Oxid-esalesEshop SwEditionenterprise Version >= 5.2.0 < 5.2.11
Oxid-esalesEshop SwEditionenterprise Version >= 5.3.0 < 5.3.6
Oxid-esalesEshop Version6.0.0 Updaterc1 SwEditioncommunity
Oxid-esalesEshop Version6.0.0 Updaterc1 SwEditionenterprise
Oxid-esalesEshop Version6.0.0 Updaterc1 SwEditionprofessional
Oxid-esalesEshop Version6.0.0 Updaterc2 SwEditioncommunity
Oxid-esalesEshop Version6.0.0 Updaterc2 SwEditionenterprise
Oxid-esalesEshop Version6.0.0 Updaterc2 SwEditionprofessional
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.64% 0.682
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
CWE-425 Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.