Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): cpe:2.3:a:shopizer:shopizer:2.7.0:*:*:*:*:*:*:*
- CPE Name Search: true
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2022-23063 |
In Shopizer versions 2.3.0 to 3.0.1 are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed. Published: May 03, 2022; 5:15:09 AM -0400 |
V3.1: 8.8 HIGH V2.0: 6.5 MEDIUM |
CVE-2022-23061 |
In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin (although this cannot happen according to the documentation) via Insecure Direct Object Reference (IDOR) vulnerability. Published: May 01, 2022; 9:15:07 AM -0400 |
V3.1: 6.5 MEDIUM V2.0: 5.5 MEDIUM |
CVE-2022-23060 |
A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0, where a privileged user (attacker) can inject malicious JavaScript in the filename under the “Manage files” tab Published: May 01, 2022; 9:15:07 AM -0400 |
V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2022-23059 |
A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0 via the “Manage Images” tab, which allows an attacker to upload a SVG file containing malicious JavaScript code. Published: March 29, 2022; 7:15:07 AM -0400 |
V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2021-33562 |
A reflected cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary product, e.g., a product/insert-product-name-here.html/ref= URL. Published: May 24, 2021; 7:15:08 PM -0400 |
V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2021-33561 |
A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration. It is saved in the database. The code is executed for any user of store administration when information is fetched from the backend, e.g., in admin/customers/list.html. Published: May 24, 2021; 7:15:08 PM -0400 |
V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2020-11006 |
In Shopizer before version 2.11.0, a script can be injected in various forms and saved in the database, then executed when information is fetched from backend. This has been patched in version 2.11.0. Published: May 08, 2020; 3:15:12 PM -0400 |
V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2020-11007 |
In Shopizer before version 2.11.0, using API or Controller based versions negative quantity is not adequately validated hence creating incorrect shopping cart and order total. This vulnerability makes it possible to create a negative total in the shopping cart. This has been patched in version 2.11.0. Published: April 16, 2020; 3:15:26 PM -0400 |
V3.1: 6.5 MEDIUM V2.0: 4.0 MEDIUM |