CVE-2016-5072

high

Published 2017-04-10 · Modified 2026-05-13

CVSS v3

8.8

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2

6.5

VIR risk

8.8

Description

OXID eShop before 2016-06-13 allows remote attackers to execute arbitrary code via a GET or POST request to the oxuser class. Fixed versions are Enterprise Edition v5.1.12, Enterprise Edition v5.2.9, Professional Edition v4.8.12, Professional Edition v4.9.9, Community Edition v4.8.12, Community Edition v4.9.9.

Predictions

Exploit likelihood

92%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cret@cert.org — https://oxidforge.org/en/security-bulletin-2016-001.html

Application impact

Vendor	Product	Versions	Fixed
oxidforge	oxid_eshop	`{"endIncluding":"4.9.8"}`

References

https://oxidforge.org/en/security-bulletin-2016-001.html
https://oxidforge.org/en/security-bulletin-2016-001.html

CWEs

CWE-94

Verify integrity in audit chain (admin only). AS-IS.