Cross-site scripting in Shopizer

GHSA-rcp4-jm2v-mr3f · CVE-2021-33561

Published Jun 8, 2021 · Modified Nov 8, 2023

Description

A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration. It is saved in the database. The code is executed for any user of store administration when information is fetched from the backend, e.g., in admin/customers/list.html.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-33561
WEB https://github.com/shopizer-ecommerce/shopizer/commit/197f8c78c8f673b957e41ca2c823afc654c19271
WEB https://github.com/shopizer-ecommerce/shopizer/compare/2.16.0...2.17.0
WEB https://www.exploit-db.com/exploits/49901

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes