Vulnerability Details : CVE-2017-14993
OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition before 6.0.0 RC3 (development), 4.9.x before 4.9.11 (legacy) and 4.10.x before 4.10.6 (maintenance) allow remote attackers to crawl specially crafted URLs (aka "forced browsing") in order to overflow the database of the shop and consequently make it stop working. Prerequisite: the shop allows rendering empty categories to the storefront via an admin option.
Products affected by CVE-2017-14993
- cpe:2.3:a:oxid-esales:eshop:*:*:*:*:enterprise:*:*:*
- Oxid-esales » Eshop » Professional EditionVersions from including (>=) 4.10.0 and before (<) 4.10.6cpe:2.3:a:oxid-esales:eshop:*:*:*:*:professional:*:*:*
- cpe:2.3:a:oxid-esales:eshop:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:oxid-esales:eshop:*:*:*:*:community:*:*:*
- cpe:2.3:a:oxid-esales:eshop:*:*:*:*:community:*:*:*
- cpe:2.3:a:oxid-esales:eshop:*:*:*:*:professional:*:*:*
- cpe:2.3:a:oxid-esales:eshop:6.0.0:rc1:*:*:professional:*:*:*
- cpe:2.3:a:oxid-esales:eshop:6.0.0:rc1:*:*:community:*:*:*
- cpe:2.3:a:oxid-esales:eshop:6.0.0:rc1:*:*:enterprise:*:*:*
- cpe:2.3:a:oxid-esales:eshop:6.0.0:rc2:*:*:community:*:*:*
- cpe:2.3:a:oxid-esales:eshop:6.0.0:rc2:*:*:enterprise:*:*:*
- cpe:2.3:a:oxid-esales:eshop:6.0.0:rc2:*:*:professional:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-14993
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-14993
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-14993
-
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-14993
-
https://oxidforge.org/en/security-bulletin-2017-002.html
Security Bulletin 2017-002 • OXIDforgePatch;Vendor Advisory
-
https://bugs.oxid-esales.com/view.php?id=6678
0006678: Forced browsing attack possible - OXID eShop bugtrackVendor Advisory
Jump to