CVE-2017-14993

Name of the Vulnerable Software and Affected Versions: OXID eShop Community Edition versions prior to 6.0.0 RC3 OXID eShop Community Edition versions 4.10.x prior to 4.10.6 OXID eShop Community Edition versions 4.9.x prior to 4.9.11 OXID eShop Enterprise Edition versions prior to 6.0.0 RC3 OXID eShop Enterprise Edition versions 5.2.x prior to 5.2.11 OXID eShop Enterprise Edition versions 5.3.x prior to 5.3.6 OXID eShop Professional Edition versions prior to 6.0.0 RC3 OXID eShop Professional Edition versions 4.9.x prior to 4.9.11 OXID eShop Professional Edition versions 4.10.x prior to 4.10.6

Description: The issue allows remote attackers to crawl specially crafted URLs, also known as "forced browsing", which can overflow the database of the shop and make it stop working. This can happen if the shop allows rendering empty categories to the storefront via an admin option.

Recommendations: For OXID eShop Community Edition versions prior to 6.0.0 RC3, update to version 6.0.0 RC3 or later. For OXID eShop Community Edition versions 4.10.x prior to 4.10.6, update to version 4.10.6 or later. For OXID eShop Community Edition versions 4.9.x prior to 4.9.11, update to version 4.9.11 or later. For OXID eShop Enterprise Edition versions prior to 6.0.0 RC3, update to version 6.0.0 RC3 or later. For OXID eShop Enterprise Edition versions 5.2.x prior to 5.2.11, update to version 5.2.11 or later. For OXID eShop Enterprise Edition versions 5.3.x prior to 5.3.6, update to version 5.3.6 or later. For OXID eShop Professional Edition versions prior to 6.0.0 RC3, update to version 6.0.0 RC3 or later. For OXID eShop Professional Edition versions 4.9.x prior to 4.9.11, update to version 4.9.11 or later. For OXID eShop Professional Edition versions 4.10.x prior to 4.10.6, update to version 4.10.6 or later.