as part of a regular audit, a security issue has been identified: Specially crafted SQL statements can lead to unauthorized access to the database.
All OXID eShops of versions 2.7.x, 3.x and 4.x are affected, no exploits are known yet.
For version 4.x of the OXID eShop this security issue has been fixed with version 4.1.6, please find the appropriate patch here:
The Security Bulletin 2009-004 was published at
Clients of versions 18.104.22.168 and 22.214.171.124 with a support contract will shortly be sent a patch that fixes the security issue. Unfortunately, older versions can not be supported.