Vulnerabilities > Shopizer

DATE CVE VULNERABILITY TITLE RISK
2022-05-03 CVE-2022-23063 Insufficient Session Expiration vulnerability in Shopizer
In Shopizer versions 2.3.0 to 3.0.1 are vulnerable to Insufficient Session Expiration.
network
low complexity
shopizer CWE-613
6.5
2022-05-01 CVE-2022-23060 Cross-site Scripting vulnerability in Shopizer
A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0, where a privileged user (attacker) can inject malicious JavaScript in the filename under the “Manage files” tab
network
shopizer CWE-79
3.5
2022-05-01 CVE-2022-23061 Authorization Bypass Through User-Controlled Key vulnerability in Shopizer
In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin (although this cannot happen according to the documentation) via Insecure Direct Object Reference (IDOR) vulnerability.
network
low complexity
shopizer CWE-639
5.5
2022-03-29 CVE-2022-23059 Cross-site Scripting vulnerability in Shopizer
A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0 via the “Manage Images” tab, which allows an attacker to upload a SVG file containing malicious JavaScript code.
network
shopizer CWE-79
3.5
2021-05-24 CVE-2021-33561 Cross-site Scripting vulnerability in Shopizer
A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration.
network
shopizer CWE-79
3.5
2021-05-24 CVE-2021-33562 Cross-site Scripting vulnerability in Shopizer
A reflected cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary product, e.g., a product/insert-product-name-here.html/ref= URL.
network
shopizer CWE-79
3.5
2020-05-08 CVE-2020-11006 Cross-site Scripting vulnerability in Shopizer
In Shopizer before version 2.11.0, a script can be injected in various forms and saved in the database, then executed when information is fetched from backend.
network
shopizer CWE-79
3.5
2020-04-16 CVE-2020-11007 Improper Input Validation vulnerability in Shopizer
In Shopizer before version 2.11.0, using API or Controller based versions negative quantity is not adequately validated hence creating incorrect shopping cart and order total.
network
low complexity
shopizer CWE-20
4.0
2014-08-21 CVE-2014-5385 Improper Authentication vulnerability in Shopizer 1.1.5
com/salesmanager/central/profile/ProfileAction.java in Shopizer 1.1.5 and earlier does not restrict the number of authentication attempts, which makes it easier for remote attackers to guess passwords via a brute force attack.
network
low complexity
shopizer CWE-287
5.0
2014-07-15 CVE-2014-4965 Cross-Site Scripting vulnerability in Shopizer 1.1.5
Multiple cross-site scripting (XSS) vulnerabilities in Shopizer 1.1.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) customername parameter to central/orders/searchcriteria.action; (2) productname, (3) availability, or (4) status parameter to central/catalog/productlist.action; or unspecified vectors in (5) WebContent/orders/orderlist.jsp.
network
shopizer CWE-79
4.3