Lucene search

GitHub_MCVELIST:CVE-2020-11006

HistoryMay 08, 2020 - 6:45 p.m.

CVE-2020-11006 Potential remote code execution in Shopizer

2020-05-0818:45:12

GitHub_M

www.cve.org

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

9.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.4%

JSON

In Shopizer before version 2.11.0, a script can be injected in various forms and saved in the database, then executed when information is fetched from backend. This has been patched in version 2.11.0.

CNA Affected

[
  {
    "product": "shopizer",
    "vendor": "shopizer-ecommerce",
    "versions": [
      {
        "status": "affected",
        "version": "< 2.11.0"
      }
    ]
  }
]

References

github.com/shopizer-ecommerce/shopizer/commit/929ca0839a80c6f4dad087e0259089908787ad2a

github.com/shopizer-ecommerce/shopizer/security/advisories/GHSA-8pc4-gvfw-634p

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

9.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.4%

JSON

Related for CVELIST:CVE-2020-11006