CVE-2019-25260

Sažetak

OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute arbitrary code through crafted URLs.

Reference

https://bugs.oxid-esales.com/view.php?id=7002
https://github.com/OXID-eSales/oxideshop_ce
https://web.archive.org/web/20190731211638/https://blog.ripstech.com/2019/oxid-esales-shop-software/
https://web.archive.org/web/20201020223434/https://www.vulnspy.com/en-oxid-eshop-6.x-sqli-to-rce/
https://www.exploit-db.com/exploits/48527
https://www.oxid-esales.com/
https://www.vulncheck.com/advisories/oxid-eshop-sorting-sql-injection

CVSS

Base:	8.2
Impact:	4.2
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	LOW	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Zadnje važnije ažuriranje

04-02-2026 - 16:33

Objavljeno

03-02-2026 - 22:16