Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a CVE vulnerability ID? 
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
New vulnerability? Tell us about it!
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2022-23060
Date: May 1, 2022
Overview
A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0, where a privileged user (attacker) can inject malicious JavaScript in the filename under the “Manage files” tab.Details
The “Shopizer” application is affected by the “Stored XSS” vulnerability, where a privileged user (attacker) can inject malicious JavaScript in the filename under the “Manage files” tab.PoC Details
Browse the application and login with administrator credentials via “/admin/login.html” endpoint. Now navigate to the “Manage files” tab from “Manage content” and upload any image file. Click on “Upload Files” and intercept the request. Now change the value in the parameter “filename” to the payload found in the “POC Code” section below. The payload gets triggered after a successful upload.PoC Code
<img src=x onerror=alert(1)>Affected Environments
2.0 through 2.17.0Prevention
Upgrade version to 3.0.0 or higherLanguage: Java
Good to know:
| Base Score: |
|
|---|---|
| Attack Vector (AV): | Network |
| Attack Complexity (AC): | Low |
| Privileges Required (PR): | High |
| User Interaction (UI): | Required |
| Scope (S): | Changed |
| Confidentiality (C): | Low |
| Integrity (I): | Low |
| Availability (A): | None |
| Base Score: |
|
|---|---|
| Access Vector (AV): | Network |
| Access Complexity (AC): | Medium |
| Authentication (AU): | Single |
| Confidentiality (C): | None |
| Integrity (I): | Partial |
| Availability (A): | None |
| Additional information: |