Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJjcDQtam0ydi1tcjNm
Cross-site scripting in Shopizer
A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration. It is saved in the database. The code is executed for any user of store administration when information is fetched from the backend, e.g., in admin/customers/list.html.
Permalink: https://github.com/advisories/GHSA-rcp4-jm2v-mr3fJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJjcDQtam0ydi1tcjNm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-rcp4-jm2v-mr3f, CVE-2021-33561
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-33561
- https://github.com/shopizer-ecommerce/shopizer/commit/197f8c78c8f673b957e41ca2c823afc654c19271
- https://github.com/shopizer-ecommerce/shopizer/compare/2.16.0...2.17.0
- https://www.exploit-db.com/exploits/49901
- https://github.com/advisories/GHSA-rcp4-jm2v-mr3f
Blast Radius: 0.0
Affected Packages
maven:com.shopizer:shopizer
Dependent packages: 0Dependent repositories: 1
Downloads:
Affected Version Ranges: < 2.17.0
Fixed in: 2.17.0
All affected versions: 2.16.0
All unaffected versions: