View Issue Details

IDProjectCategoryView StatusLast Update
0006890OXID eShop (all versions)4.04. Securitypublic2019-07-31 11:18
Reporteranton.fedurtsya 
PriorityhighSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version 
Target VersionFixed in Version6.1.4 
Summary0006890: SQL injections possible in admin interface
DescriptionThere are 2 SQL Injection possibilities in

oxideshop_ce/source/Application/Controller/Admin/CategoryOrderAjax.php

Line 120 in ec33d6d

             $sSelect .= "where $sO2CView.oxcatnid = '$soxId' and $sArticleTable.oxparentid = '' and $sArticleTable.oxid ";

as $soxId is not escaped when in admin.

TagsNo tags attached.
ThemeNot defined
BrowserNot defined
PHP VersionNot defined
MySQL VersionNot defined

Activities

There are no notes attached to this issue.