Shopizer

Shopizer

16 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.4

CVE-2026-36766

  • EPSS 0.14%
  • Veröffentlicht 30.04.2026 18:16:29
  • Zuletzt bearbeitet 30.04.2026 19:16:09

Multiple authenticated cross-site scripting (XSS) vulnerabilities in the XssHttpServletRequestWrapper class of shopizer v3.2.5 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the getInputStream() or getR...

10

CVE-2026-36767

  • EPSS 0.41%
  • Veröffentlicht 30.04.2026 17:16:26
  • Zuletzt bearbeitet 30.04.2026 18:16:29

A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary files to any writeable path via a crafted POST request.

8.1

CVE-2025-51605

Exploit
  • EPSS 0.2%
  • Veröffentlicht 22.08.2025 00:00:00
  • Zuletzt bearbeitet 12.09.2025 19:40:49

An issue was discovered in Shopizer 3.2.7. The server's CORS implementation reflects the client-supplied Origin header verbatim into Access-Control-Allow-Origin without any whitelist validation, while also enabling Access-Control-Allow-Credentials: t...

6.5

CVE-2022-23063

Exploit
  • EPSS 1.15%
  • Veröffentlicht 03.05.2022 09:15:09
  • Zuletzt bearbeitet 21.11.2024 06:47:54

In Shopizer versions 2.3.0 to 3.0.1 are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the pa...

3.5

CVE-2022-23060

Exploit
  • EPSS 0.6%
  • Veröffentlicht 01.05.2022 13:15:07
  • Zuletzt bearbeitet 21.11.2024 06:47:54

A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0, where a privileged user (attacker) can inject malicious JavaScript in the filename under the “Manage files” tab

5.5

CVE-2022-23061

Exploit
  • EPSS 1.08%
  • Veröffentlicht 01.05.2022 13:15:07
  • Zuletzt bearbeitet 21.11.2024 06:47:54

In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin (although this cannot happen according to the documentation) via Insecure Direct Object Reference (IDOR) vulnerability.

3.5

CVE-2022-23059

Exploit
  • EPSS 0.62%
  • Veröffentlicht 29.03.2022 11:15:07
  • Zuletzt bearbeitet 21.11.2024 06:47:54

A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0 via the “Manage Images” tab, which allows an attacker to upload a SVG file containing malicious JavaScript code.

4.8

CVE-2021-33561

Exploit
  • EPSS 2.85%
  • Veröffentlicht 24.05.2021 23:15:08
  • Zuletzt bearbeitet 21.11.2024 06:09:05

A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration. It is saved in the database. The code is executed f...

4.8

CVE-2021-33562

Exploit
  • EPSS 2.92%
  • Veröffentlicht 24.05.2021 23:15:08
  • Zuletzt bearbeitet 21.11.2024 06:09:06

A reflected cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary product, e.g., a product/insert-product-name-here.html/re...

5.4

CVE-2020-11006

  • EPSS 0.63%
  • Veröffentlicht 08.05.2020 19:15:12
  • Zuletzt bearbeitet 21.11.2024 04:56:33

In Shopizer before version 2.11.0, a script can be injected in various forms and saved in the database, then executed when information is fetched from backend. This has been patched in version 2.11.0.