We found results for “


Date: May 3, 2022


In Shopizer versions 2.3.0 to 3.0.1 are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed


Shopizer application doesn’t delete the active session of a customer, even after the admin resets the password

PoC Details

Browse the app and login with an administrator. In the incognito window, browse to the app and register a new customer. Now in the already logged in admin account, in the admin panel, browse to “admin/customers/list.html” endpoint . Click on the details of the recently created customer. Then navigate to More options> set credentials . Now enter the username and newly set password and submit to save. We see that we are still active and the session persists in the incognito window of the customer and the user can perform all of the actions.

Affected Environments

2.3.0 to 3.0.1



Language: Java

Good to know:


Insufficient Session Expiration


Upgrade Version

No fix version available

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): Single
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information: