Lucene search

MendCVELIST:CVE-2022-23061

HistoryMay 01, 2022 - 12:40 p.m.

CVE-2022-23061 Shopizer - IDOR delete superadmin

2022-05-0112:40:12

CWE-639

Mend

www.cve.org

shopizer

idor

admin privilege

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

EPSS

0.001

Percentile

31.9%

JSON

In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin (although this cannot happen according to the documentation) via Insecure Direct Object Reference (IDOR) vulnerability.

CNA Affected

[
  {
    "product": "Shopizer",
    "vendor": "shopizer-ecommerce",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "2.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "2.17.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/shopizer-ecommerce/shopizer/commit/6b9f1ecd303b3b724d96bd08095c1a751dcc287e

www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23061

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

EPSS

0.001

Percentile

31.9%

JSON

Related for CVELIST:CVE-2022-23061