CVE-2021-33561 in Shopizerinfo

Summary

by MITRE • 05/25/2021

A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration. It is saved in the database. The code is executed for any user of store administration when information is fetched from the backend, e.g., in admin/customers/list.html.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 05/03/2025

This vulnerability represents a critical stored cross-site scripting flaw in Shopizer e-commerce platform versions prior to 2.17.0, classified under CWE-79 as improper neutralization of input during web page generation. The vulnerability specifically affects the customer_name parameter within various administrative forms, where user-supplied input is persistently stored in the database without adequate sanitization or validation mechanisms. Attackers can craft malicious scripts within the customer_name field that remain dormant until retrieved and displayed within the administrative interface, creating a persistent threat vector that can compromise any administrator or user who accesses the affected pages.

The technical exploitation occurs through the manipulation of the customer_name field in administrative forms, where the input undergoes insufficient validation before being stored in the backend database. When administrators navigate to pages such as admin/customers/list.html, the stored malicious content is executed within their browser context, potentially leading to session hijacking, credential theft, or further compromise of the administrative environment. This stored nature of the vulnerability means that the malicious payload persists even after the initial injection, making it particularly dangerous as it can affect multiple users over time without requiring repeated exploitation attempts.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to gain unauthorized access to administrative functions and potentially compromise the entire e-commerce platform. The attack surface includes any administrative user who views the customer list or related administrative pages, creating a significant risk for organizations relying on Shopizer for their online operations. The vulnerability directly violates security principles outlined in the OWASP Top Ten 2017, specifically targeting the injection category, and can be mapped to ATT&CK technique T1059.001 for command and scripting interpreter, as well as T1566 for credential access through social engineering via compromised administrative interfaces. Organizations may face regulatory compliance issues and potential data breaches when such vulnerabilities exist in their e-commerce infrastructure.

Mitigation strategies should prioritize immediate patching to Shopizer version 2.17.0 or later, which includes proper input sanitization and validation mechanisms for customer data. Organizations should implement comprehensive input validation at both client and server levels, employing proper HTML encoding for all user-supplied content before database storage and display. Additional defensive measures include implementing content security policies, regular security scanning of administrative interfaces, and monitoring for suspicious administrative activities. The vulnerability highlights the importance of secure coding practices and input validation in web applications, particularly in administrative interfaces where privileged access can lead to complete system compromise. Organizations should conduct thorough security assessments of their e-commerce platforms and ensure proper security controls are in place to prevent similar vulnerabilities from persisting in their systems.

Reservation

05/24/2021

Disclosure

05/25/2021

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.02850

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!