We found results for “


Date: May 1, 2022


In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin (although this cannot happen according to the documentation) via Insecure Direct Object Reference (IDOR) vulnerability.


Shopizer application generally does not allow a regular admin to delete a superadmin according to the documentation. This can be bypassed due to IDOR vulnerability.

PoC Details

Browse the application and login with regular administrator credentials (a regular admin can only manage users in its own store) via “/admin/login.html” endpoint. Now navigate to “admin/users/list.html” endpoint. Intercept the traffic via burp before deleting the user. Replace the userId parameter with superadmin’s id (that you created for the POC). We can see that the superadmin is permanently deleted and we are unable to login as the superadmin.

Affected Environments

2.0 through 2.17.0


Upgrade version to 3.0.0 or higher

Language: Java

Good to know:


Authorization Bypass Through User-Controlled Key


Upgrade Version

Upgrade to version 3.0.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): Single
Confidentiality (C): None
Integrity (I): Partial
Availability (A): Partial
Additional information: