We found results for “


Date: May 1, 2022


In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin (although this cannot happen according to the documentation) via Insecure Direct Object Reference (IDOR) vulnerability.


Shopizer application generally does not allow a regular admin to delete a superadmin according to the documentation. This can be bypassed due to IDOR vulnerability.

PoC Details

Browse the application and login with regular administrator credentials (a regular admin can only manage users in its own store) via “/admin/login.html” endpoint. Now navigate to “admin/users/list.html” endpoint. Intercept the traffic via burp before deleting the user. Replace the userId parameter with superadmin’s id (that you created for the POC). We can see that the superadmin is permanently deleted and we are unable to login as the superadmin.

Affected Environments

2.0 through 2.17.0


Upgrade version to 3.0.0 or higher

Language: Java

Good to know:


Authorization Bypass Through User-Controlled Key


Upgrade Version

Upgrade to version 3.0.0

Learn More

Base Score:
Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High
Base Score:
Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (AU): None
Confidentiality (C): None
Integrity (I): None
Availability (A): Partial
Additional information: