icon

We found results for “

CVE-2022-23060

Date: May 1, 2022

Overview

A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0, where a privileged user (attacker) can inject malicious JavaScript in the filename under the “Manage files” tab.

Details

The “Shopizer” application is affected by the “Stored XSS” vulnerability, where a privileged user (attacker) can inject malicious JavaScript in the filename under the “Manage files” tab.

PoC Details

Browse the application and login with administrator credentials via “/admin/login.html” endpoint. Now navigate to the “Manage files” tab from “Manage content” and upload any image file. Click on “Upload Files” and intercept the request. Now change the value in the parameter “filename” to the payload found in the “POC Code” section below. The payload gets triggered after a successful upload.

PoC Code

<img src=x onerror=alert(1)>

Affected Environments

2.0 through 2.17.0

Prevention

Upgrade version to 3.0.0 or higher

Language: Java

Good to know:

icon

Cross-Site Scripting (XSS)

CWE-79
icon

Upgrade Version

Upgrade to version 3.0.0

Learn More

Base Score:
Attack Vector (AV):
Attack Complexity (AC):
Privileges Required (PR):
User Interaction (UI):
Scope (S):
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Base Score:
Access Vector (AV):
Access Complexity (AC):
Authentication (AU):
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Additional information: