In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin (although this cannot happen according to the documentation) via Insecure Direct Object Reference (IDOR). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
All versions of package materialize-css are vulnerable to Cross-site Scripting (XSS) due to improper escape of user input (such as <not-a-tag />) that is being parsed as HTML/JavaScript, and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0, where a privileged user (attacker) can inject malicious JavaScript in the filename under the “Manage. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
This affects all versions of package org.nanohttpd:nanohttpd. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.