CVE-2021-33561 – com.shopizer:shopizer

Package

Manager: maven
Name: com.shopizer:shopizer
Vulnerable Version: >=0 <2.17.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00734 pctl0.71904

Details

Cross-site scripting in Shopizer A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration. It is saved in the database. The code is executed for any user of store administration when information is fetched from the backend, e.g., in admin/customers/list.html.

Metadata

Created: 2021-06-08T23:10:24Z
Modified: 2021-05-28T18:38:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-rcp4-jm2v-mr3f/GHSA-rcp4-jm2v-mr3f.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-rcp4-jm2v-mr3f
Finding: F425
Auto approve: 1