shopizer-ecommerce/shopizer

GitHub

github.com

www.shopizer.com

Releases30

Frequency3 months 1 week

Last Release over 3 years ago

Stars3.91K

Shopizer java e-commerce software

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-36763 ↗	Apr 30, 2026Thursday, 30 April 2026, 18:16	6.1 MEDIUM	—
A stored cross-site scripting (XSS) vulnerability in the /api/blade-desk/notice/submit endpoint of SpringBlade v4.8.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the content parameter.
CVE-2026-36766 ↗	Apr 30, 2026Thursday, 30 April 2026, 18:16	5.4 MEDIUM	—
Multiple authenticated cross-site scripting (XSS) vulnerabilities in the XssHttpServletRequestWrapper class of shopizer v3.2.5 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the getInputStream() or getReader() functions.
CVE-2026-36767 ↗	Apr 30, 2026Thursday, 30 April 2026, 17:16	10 CRITICAL	—
A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary files to any writeable path via a crafted POST request.
CVE-2022-23063 ↗	May 3, 2022Tuesday, 3 May 2022, 09:15	8.8 HIGH	6.5 MEDIUM
In Shopizer versions 2.3.0 to 3.0.1 are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.
CVE-2022-23060 ↗	May 1, 2022Sunday, 1 May 2022, 13:15	4.8 MEDIUM	3.5 LOW
A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0, where a privileged user (attacker) can inject malicious JavaScript in the filename under the “Manage files” tab
CVE-2022-23061 ↗	May 1, 2022Sunday, 1 May 2022, 13:15	6.5 MEDIUM	5.5 MEDIUM
In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin (although this cannot happen according to the documentation) via Insecure Direct Object Reference (IDOR) vulnerability.
CVE-2022-23059 ↗	Mar 29, 2022Tuesday, 29 March 2022, 11:15	4.8 MEDIUM	3.5 LOW
A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0 via the “Manage Images” tab, which allows an attacker to upload a SVG file containing malicious JavaScript code.
CVE-2021-33561 ↗	May 24, 2021Monday, 24 May 2021, 23:15	4.8 MEDIUM	3.5 LOW
A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration. It is saved in the database. The code is executed for any user of store administration when information is fetched from the backend, e.g., in admin/customers/list.html.
CVE-2021-33562 ↗	May 24, 2021Monday, 24 May 2021, 23:15	4.8 MEDIUM	3.5 LOW
A reflected cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary product, e.g., a product/insert-product-name-here.html/ref= URL.
CVE-2020-11006 ↗	May 8, 2020Friday, 8 May 2020, 19:15	9.1 CRITICAL	3.5 LOW
In Shopizer before version 2.11.0, a script can be injected in various forms and saved in the database, then executed when information is fetched from backend. This has been patched in version 2.11.0.
CVE-2020-11007 ↗	Apr 16, 2020Thursday, 16 April 2020, 19:15	6.5 MEDIUM	4 MEDIUM
In Shopizer before version 2.11.0, using API or Controller based versions negative quantity is not adequately validated hence creating incorrect shopping cart and order total. This vulnerability makes it possible to create a negative total in the shopping cart. This has been patched in version 2.11.0.