CALL US

+91 9116117170

eCommerce Sites Exposed Due To New Vulnerability found on OXID eShop Software

OXID eShop

eCommerce Sites Exposed Due To New Vulnerability found on ‘OXID eShop’ Software

By Mohammed Tahir 0 Comment August 2, 2019

An e-commerce website with  OXID eShop platform can be compromised because of some critical flaws, to prevent your e-commerce site immediately you need to update it.

As we know OXID eShop is one of the top e-commerce shop software solutions from Germany whose enterprise edition is being used by industry superiors including Mercedes, BitBurger, and Edeka.It ought to be famous that completely no interplay between the attacker and the sufferer is critical to executing each vulnerability, and the failings work in opposition to the default configuration of the e-commerce software program.

OXID eShop is one of the top e-commerce shop software solutions from Germany whose enterprise edition is being used by industry superiors including Mercedes, BitBurger, and Edeka.It ought to be famous that completely no interplay between the attacker and the sufferer is critical to executing each vulnerability, and the failings work in opposition to the default configuration of the e-commerce software program.

A pair of critical vulnerabilities in OXID eShop software has been discovered by cybersecurity researchers that could allow attackers to access an eShop remotely in very less time, all on default configurations. The researcher has detected SQL Injection Flaw and RCE.

There is no need for interaction between the attackers and the victim to execute both vulnerabilities and the flaws work against the default configuration of e-commerce software provided by OXID eShop.

OXID eShop: SQL Injection Flaw

The first flaw is detected as CVE-2019-13026, is a SQL injection vulnerability that allows an attacker to create a new administrator account, with a password of his own choice, on a website that is using the  OXID eShop software. 

OXID eShop: Remote Code Execution (RCE) Flaw

The second vulnerability is a PHP Object injection issue, which resides in the administration panel of an e-commerce website that used OXID eShop software and occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function.

Once it gets successful, an attacker can inject malicious code on the main server or also can install malicious plugin of their own for stealing the credentials of PayPal account information or the user’s credit card details and also the highly sensitive financial information that passed through the OXID eShop system.

It can only be exploited to get Remote Code Execution(RCE) on the server; however, it requires administrative access which can be got by using the first vulnerability.

error: Content is protected by Cyberops !!