Skip to main content

Shopizer CVE-2021-33562

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2021-05-24 cve@mitre.org
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
May 24, 2021 - 23:15 nvd
MEDIUM 4.8

DescriptionNVD

A reflected cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary product, e.g., a product/insert-product-name-here.html/ref= URL.

AnalysisAI

A reflected cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. A reflected cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary product, e.g., a product/insert-product-name-here.html/ref= URL. Affected products include: Shopizer. Version information: before 2.17.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2022-23063 HIGH POC
8.8 May 03

In Shopizer versions 2.3.0 to 3.0.1 are vulnerable to Insufficient Session Expiration. Rated high severity (CVSS 8.8), t

CVE-2014-4963 MEDIUM POC
6.8 Jul 15

Shopizer 1.1.5 and earlier allows remote attackers to modify the account settings of arbitrary users via the customer.cu

CVE-2014-4962 MEDIUM POC
6.4 Jul 15

Shopizer 1.1.5 and earlier allows remote attackers to reduce the total cost of their shopping cart via a negative number

CVE-2014-4964 MEDIUM POC
6.8 Jul 15

Multiple cross-site request forgery (CSRF) vulnerabilities in Shopizer 1.1.5 and earlier allow remote attackers to hijac

CVE-2022-23061 MEDIUM POC
6.5 May 01

In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin (although this cannot happen acco

CVE-2014-5385 MEDIUM POC
5.0 Aug 21

com/salesmanager/central/profile/ProfileAction.java in Shopizer 1.1.5 and earlier does not restrict the number of authen

CVE-2014-4965 MEDIUM POC
4.3 Jul 15

Multiple cross-site scripting (XSS) vulnerabilities in Shopizer 1.1.5 and earlier allow remote attackers to inject arbit

CVE-2022-23060 MEDIUM POC
4.8 May 01

A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0, where a privileged use

CVE-2022-23059 MEDIUM POC
4.8 Mar 29

A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0 via the “Manage Images”

CVE-2021-33561 MEDIUM POC
4.8 May 24

A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary

CVE-2020-11007 MEDIUM
6.5 Apr 16

In Shopizer before version 2.11.0, using API or Controller based versions negative quantity is not adequately validated

CVE-2020-11006 MEDIUM
5.4 May 08

In Shopizer before version 2.11.0, a script can be injected in various forms and saved in the database, then executed wh

Share

CVE-2021-33562 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy