CVE-2021-33561

unknown

Published 2021-06-08 · Modified 2023-11-08

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Cross-site scripting in Shopizer

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-49901 webapps java text · 2 KB

Marek Toth · 2021-05-24

Shopizer 2.16.0 - 'Multiple' Cross-Site Scripting (XSS)

text exploit Source: Exploit-DB

# Exploit Title: Shopizer 2.16.0 - 'Multiple' Cross-Site Scripting (XSS)
# Date: 23-05-2021
# Exploit Author: Marek Toth 
# Vendor Homepage: https://www.shopizer.com
# Software Link: https://github.com/shopizer-ecommerce/shopizer
# Version: <= 2.16.0
# CVE: CVE-2021-33561, CVE-2021-33562

Stored XSS - 'customer_name' Administration 

Description:
A stored cross-site scripting (XSS) vulnerability in Shopizer before version 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration and saved in the database. The code is executed for any user of store administration when information is fetched from backend.

Steps to reproduce:
1. Open "http://example.com/admin/" and login to the administration
2. Open "Customers" (http://example.com/admin/customers/list.html) and click on the "Details" button
3. Change customer name to <script>alert(1)</script> and save it
4. Open "Customers" -> XSS payload will trigger

Except "Customers" section, XSS will be executed in "Orders" (/admin/orders/list.html) and "Recent orders" (/admin/home.html)

Reflected XSS - 'ref' parameter 

Description:
A reflected cross-site scripting (XSS) vulnerability in Shopizer before version 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the 'ref' parameter.

Payloads: 
'+alert(1)+'
'+eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))+'

PoC:
http://example.com/shop/product/vintage-bag-with-leather-bands.html/ref='+alert(1)+'

Package impact

Ecosystem	Package	Vulnerable	Fixed
Maven	com.shopizer:shopizer	`<2.17.0`	`2.17.0`

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.