CVE-2021-33561
Cross-site scripting in Shopizer
4.8
MEDIUM
CVSS 3.1
EPSS 0.71%
Description
A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration. It is saved in the database. The code is executed for any user of store administration when information is fetched from the backend, e.g., in admin/customers/list.html.
How to fix CVE-2021-33561
To remediate CVE-2021-33561, upgrade the affected package to a fixed version below.
- —upgrade to 2.17.0 or later
Is CVE-2021-33561 being exploited?
Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.17.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |