Shopizer

Shopizer

14 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.1

CVE-2025-51605

Exploit
  • EPSS 0.03%
  • Veröffentlicht 22.08.2025 00:00:00
  • Zuletzt bearbeitet 12.09.2025 19:40:49

An issue was discovered in Shopizer 3.2.7. The server's CORS implementation reflects the client-supplied Origin header verbatim into Access-Control-Allow-Origin without any whitelist validation, while also enabling Access-Control-Allow-Credentials: t...

6.5

CVE-2022-23063

Exploit
  • EPSS 0.31%
  • Veröffentlicht 03.05.2022 09:15:09
  • Zuletzt bearbeitet 21.11.2024 06:47:54

In Shopizer versions 2.3.0 to 3.0.1 are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the pa...

3.5

CVE-2022-23060

Exploit
  • EPSS 0.24%
  • Veröffentlicht 01.05.2022 13:15:07
  • Zuletzt bearbeitet 21.11.2024 06:47:54

A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0, where a privileged user (attacker) can inject malicious JavaScript in the filename under the “Manage files” tab

5.5

CVE-2022-23061

Exploit
  • EPSS 0.27%
  • Veröffentlicht 01.05.2022 13:15:07
  • Zuletzt bearbeitet 21.11.2024 06:47:54

In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin (although this cannot happen according to the documentation) via Insecure Direct Object Reference (IDOR) vulnerability.

3.5

CVE-2022-23059

Exploit
  • EPSS 0.24%
  • Veröffentlicht 29.03.2022 11:15:07
  • Zuletzt bearbeitet 21.11.2024 06:47:54

A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0 via the “Manage Images” tab, which allows an attacker to upload a SVG file containing malicious JavaScript code.

4.8

CVE-2021-33561

Exploit
  • EPSS 0.73%
  • Veröffentlicht 24.05.2021 23:15:08
  • Zuletzt bearbeitet 21.11.2024 06:09:05

A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration. It is saved in the database. The code is executed f...

4.8

CVE-2021-33562

Exploit
  • EPSS 0.33%
  • Veröffentlicht 24.05.2021 23:15:08
  • Zuletzt bearbeitet 21.11.2024 06:09:06

A reflected cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary product, e.g., a product/insert-product-name-here.html/re...

5.4

CVE-2020-11006

  • EPSS 0.27%
  • Veröffentlicht 08.05.2020 19:15:12
  • Zuletzt bearbeitet 21.11.2024 04:56:33

In Shopizer before version 2.11.0, a script can be injected in various forms and saved in the database, then executed when information is fetched from backend. This has been patched in version 2.11.0.

6.5

CVE-2020-11007

  • EPSS 0.3%
  • Veröffentlicht 16.04.2020 19:15:26
  • Zuletzt bearbeitet 21.11.2024 04:56:34

In Shopizer before version 2.11.0, using API or Controller based versions negative quantity is not adequately validated hence creating incorrect shopping cart and order total. This vulnerability makes it possible to create a negative total in the sho...

5

CVE-2014-5385

Exploit
  • EPSS 0.31%
  • Veröffentlicht 21.08.2014 23:55:02
  • Zuletzt bearbeitet 12.04.2025 10:46:40

com/salesmanager/central/profile/ProfileAction.java in Shopizer 1.1.5 and earlier does not restrict the number of authentication attempts, which makes it easier for remote attackers to guess passwords via a brute force attack.