CVE-2019-13026

{"id": "CVE-2019-13026", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-07-30T20:15:12.177", "references": [{"url": "https://oxidforge.org/en/security-bulletin-2019-001.html", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading to full access by an attacker. This includes all shopping cart options, customer data, and the database. No interaction between the attacker and the victim is necessary."}, {"lang": "es", "value": "eShop de OXID versiones 6.0.x anteriores a 6.0.5 y versiones 6.1.x anteriores a 6.1.4, permite una inyecci\u00f3n SQL por medio de una URL especialmente dise\u00f1ada, lo que conlleva al acceso completo de un atacante. Esto incluye todas las opciones del carrito de compras, datos del cliente y la base de datos. No es necesaria la interacci\u00f3n entre el atacante y la v\u00edctima."}], "lastModified": "2019-08-07T15:10:49.410", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B6BAB221-541A-4CD6-B9F8-F6E1BEC27509", "versionEndExcluding": "6.0.5", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:a:oxid-esales:eshop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A7B9C31D-D975-4D5E-BFE8-4BD5D3FE1D98", "versionEndExcluding": "6.1.4", "versionStartIncluding": "6.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}