CVE-2018-12579
Severity CVSS v4.0:
Pending analysis
Type:
CWE-640
Weak Password Recovery Mechanism for Forgotten Password
Publication date:
20/08/2018
Last modified:
07/11/2018
Description
An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x before 6.1.0; Professional Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0; and Community Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0. An attacker could gain access to the admin panel or a customer account when using the password reset function. To do so, it is required to own a domain name similar to the one the victim uses for their e-mail accounts.
Impact
Base Score 3.x
8.10
Severity 3.x
HIGH
Base Score 2.0
6.80
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:oxid-esales:eshop:*:*:*:*:community:*:*:* | 4.10.7 (including) | |
| cpe:2.3:a:oxid-esales:eshop:*:*:*:*:professional:*:*:* | 4.10.7 (including) | |
| cpe:2.3:a:oxid-esales:eshop:*:*:*:*:enterprise:*:*:* | 5.3.7 (including) | |
| cpe:2.3:a:oxid-esales:eshop:6.0.0:beta1:*:*:community:*:*:* | ||
| cpe:2.3:a:oxid-esales:eshop:6.0.0:beta1:*:*:enterprise:*:*:* | ||
| cpe:2.3:a:oxid-esales:eshop:6.0.0:beta1:*:*:professional:*:*:* | ||
| cpe:2.3:a:oxid-esales:eshop:6.0.0:beta2:*:*:community:*:*:* | ||
| cpe:2.3:a:oxid-esales:eshop:6.0.0:beta2:*:*:enterprise:*:*:* | ||
| cpe:2.3:a:oxid-esales:eshop:6.0.0:beta2:*:*:professional:*:*:* | ||
| cpe:2.3:a:oxid-esales:eshop:6.0.0:beta3:*:*:community:*:*:* | ||
| cpe:2.3:a:oxid-esales:eshop:6.0.0:beta3:*:*:enterprise:*:*:* | ||
| cpe:2.3:a:oxid-esales:eshop:6.0.0:beta3:*:*:professional:*:*:* | ||
| cpe:2.3:a:oxid-esales:eshop:6.0.0:rc1:*:*:community:*:*:* | ||
| cpe:2.3:a:oxid-esales:eshop:6.0.0:rc1:*:*:enterprise:*:*:* | ||
| cpe:2.3:a:oxid-esales:eshop:6.0.0:rc1:*:*:professional:*:*:* |
To consult the complete list of CPE names with products and versions, see this page