CVE-2024-56526: 
PHP vulnerability analysis and mitigation

An information disclosure vulnerability was discovered in OXID eShop versions before 7, identified as CVE-2024-56526. The vulnerability occurs when CMS pages in combination with Smarty template engine may inadvertently display sensitive user information if a CMS page contains a Smarty syntax error. The vulnerability was discovered on May 13, 2025 (NIST NVD).

The vulnerability stems from PHP's output buffering behavior when exceptions occur. When a Smarty syntax error is present in a plain HTML template, the buffered output gets flushed due to PHP's output control behavior, potentially exposing sensitive information. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating remote accessibility with no privileges required. It has been classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NIST NVD, Wiz Security).

The vulnerability can be exploited to expose sensitive user information, particularly in password reset functionality. In a specific example, if the vulnerability is exploited in the password forgot plain HTML template (oxupdatepassinfoplainemail), it can allow an attacker to change the password of any account without notification to the account owner (OXID Bug).

Users should upgrade their OXID eShop installations to version 7 or later. Until a patch can be applied, administrators should carefully review and validate all CMS page templates for potential Smarty syntax errors, particularly in sensitive areas such as password reset functionality (NIST NVD).