CVE-2022-23061

Published: May 1, 2022Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Exploitability: 1.2 / Impact: 5.2

Source: vulnerabilitylab@mend.io (Secondary)

Description

In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin (although this cannot happen according to the documentation) via Insecure Direct Object Reference (IDOR) vulnerability.

Affected (1)

Products: Shopizer: Shopizer

Shopizer

1 product

Shopizer

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Shopizer Shopizer	From 2.0 to 2.17.0

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (4)

https://github.com/shopizer-ecommerce/shopizer/commit/6b9f1ecd303b3b724d96bd08095c1a751dcc287e

Source: vulnerabilitylab@mend.io

PatchThird Party Advisory

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23061

Source: vulnerabilitylab@mend.io

ExploitThird Party Advisory

https://github.com/shopizer-ecommerce/shopizer/commit/6b9f1ecd303b3b724d96bd08095c1a751dcc287e

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23061

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.