CVE-2017-12415

Name of the Vulnerable Software and Affected Versions: OXID eShop Community Edition versions 4.9.x through 4.9.9 and 4.10.x through 4.10.4 OXID eShop Enterprise Edition versions 5.2.x through 5.2.9 and 5.3.x through 5.3.4 OXID eShop Professional Edition versions 4.9.x through 4.9.9 and 4.10.x through 4.10.4

Description: The issue allows remote attackers to hijack the cart session of a client via Cross-Site Request Forgery (CSRF) under specific pre-conditions. These pre-conditions include the attacker knowing which shop the client is using, the exact time the customer will add products to the cart, the product items already in the cart (including their article IDs), and the ability to trick the user into clicking a button or submitting a form within a specific time frame.

Recommendations: For OXID eShop Community Edition versions 4.9.x through 4.9.9, update to version 4.9.10 or later. For OXID eShop Community Edition versions 4.10.x through 4.10.4, update to version 4.10.5 or later. For OXID eShop Enterprise Edition versions 5.2.x through 5.2.9, update to version 5.2.10 or later. For OXID eShop Enterprise Edition versions 5.3.x through 5.3.4, update to version 5.3.5 or later. For OXID eShop Professional Edition versions 4.9.x through 4.9.9, update to version 4.9.10 or later. For OXID eShop Professional Edition versions 4.10.x through 4.10.4, update to version 4.10.5 or later.