A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration. It is saved in the database. The code is executed for any user of store administration when information is fetched from the backend, e.g., in admin/customers/list.html.
References
Link | Resource |
---|---|
https://github.com/shopizer-ecommerce/shopizer/commit/197f8c78c8f673b957e41ca2c823afc654c19271 | Patch Third Party Advisory |
https://github.com/shopizer-ecommerce/shopizer/compare/2.16.0...2.17.0 | Patch Third Party Advisory |
https://www.exploit-db.com/exploits/49901 | Exploit Third Party Advisory VDB Entry |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-05-24T22:33:22
Updated: 2021-05-24T22:33:22
Reserved: 2021-05-24T00:00:00
Link: CVE-2021-33561
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-05-24T23:15:08.750
Modified: 2021-05-27T22:10:17.830
Link: CVE-2021-33561
JSON object: View
Redhat Information
No data.
CWE