CVE-2021-33561

Published: May 24, 2021Modified: Nov 21, 2024

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: NVD

Description

A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration. It is saved in the database. The code is executed for any user of store administration when information is fetched from the backend, e.g., in admin/customers/list.html.

Affected (1)

Products: Shopizer: Shopizer

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Shopizer Shopizer	Before 2.17.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (6)

https://github.com/shopizer-ecommerce/shopizer/commit/197f8c78c8f673b957e41ca2c823afc654c19271

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/shopizer-ecommerce/shopizer/compare/2.16.0...2.17.0

Source: cve@mitre.org

PatchThird Party Advisory

https://www.exploit-db.com/exploits/49901

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://github.com/shopizer-ecommerce/shopizer/commit/197f8c78c8f673b957e41ca2c823afc654c19271

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/shopizer-ecommerce/shopizer/compare/2.16.0...2.17.0

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.exploit-db.com/exploits/49901

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

Timeline

No history available yet.