View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006890 | OXID eShop (all versions) | 4.04. Security | public | 2018-08-20 14:39 | 2019-07-31 11:18 |
| Reporter | anton.fedurtsya | Assigned To | |||
| Priority | high | Severity | minor | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Fixed in Version | 6.1.4 | ||||
| Summary | 0006890: SQL injections possible in admin interface | ||||
| Description | There are 2 SQL Injection possibilities in oxideshop_ce/source/Application/Controller/Admin/CategoryOrderAjax.php Line 120 in ec33d6d $sSelect .= "where $sO2CView.oxcatnid = '$soxId' and $sArticleTable.oxparentid = '' and $sArticleTable.oxid "; as $soxId is not escaped when in admin. | ||||
| Tags | No tags attached. | ||||
| Theme | Not defined | ||||
| Browser | Not defined | ||||
| PHP Version | Not defined | ||||
| Database Version | Not defined | ||||
