{"id":"CVE-2021-33562","details":"A reflected cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary product, e.g., a product/insert-product-name-here.html/ref= URL.","aliases":["GHSA-378p-hrq3-x4p3"],"modified":"2026-04-12T03:27:50.887665Z","published":"2021-05-24T23:15:08.787Z","references":[{"type":"FIX","url":"https://github.com/shopizer-ecommerce/shopizer/commit/197f8c78c8f673b957e41ca2c823afc654c19271"},{"type":"FIX","url":"https://github.com/shopizer-ecommerce/shopizer/compare/2.16.0...2.17.0"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/49901"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/shopizer-ecommerce/shopizer","events":[{"introduced":"0"},{"fixed":"47396903b3805080c87057ce057c68d36ef7fb2a"},{"fixed":"197f8c78c8f673b957e41ca2c823afc654c19271"}],"database_specific":{"cpe":"cpe:2.3:a:shopizer:shopizer:*:*:*:*:*:*:*:*","source":["CPE_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"2.17.0"}]}}],"versions":["2.13.0","2.14.1","2.15.0","2.16.0","v2.13.0","v2.14.0","v2.14.1"],"database_specific":{"vanir_signatures_modified":"2026-04-12T03:27:50Z","vanir_signatures":[{"signature_version":"v1","source":"https://github.com/shopizer-ecommerce/shopizer/commit/197f8c78c8f673b957e41ca2c823afc654c19271","digest":{"line_hashes":["22285619678933967751165268830234213452","106628044783959303085066853221350109172","70857240634589952013287244881973002746","291773468555724263604618954544447906577","194760786931620374632553607361319230721","60702978520127307290190241330340296343","312137715999592589032113097114542125398","23299825708746098681211493114765973043","281665582636863512071703663116889915784","287175368020533677612546539070733848828","86273851203980282484097189410504962360"],"threshold":0.9},"signature_type":"Line","deprecated":false,"id":"CVE-2021-33562-03ca91ae","target":{"file":"sm-shop/src/main/java/com/salesmanager/shop/store/controller/category/ShoppingCategoryController.java"}},{"signature_version":"v1","source":"https://github.com/shopizer-ecommerce/shopizer/commit/197f8c78c8f673b957e41ca2c823afc654c19271","digest":{"function_hash":"267681314943511409058316542741060568667","length":100},"signature_type":"Function","deprecated":false,"id":"CVE-2021-33562-5c225609","target":{"function":"doFilter","file":"sm-shop/src/main/java/com/salesmanager/shop/filter/XssFilter.java"}},{"signature_version":"v1","source":"https://github.com/shopizer-ecommerce/shopizer/commit/197f8c78c8f673b957e41ca2c823afc654c19271","digest":{"line_hashes":["135390940942894668177515639482093117321","176856125437285893281023856277049689814","8753404996372903394498759202718209671","68560027063347199793409355825377622429","107807252746075540705184971356016445939","121751782599999907191098765684492074711","269483439507296050067923581292082615895","47046884113053335480036781416160011277","190833818704774025957310429079950546796"],"threshold":0.9},"signature_type":"Line","deprecated":false,"id":"CVE-2021-33562-5ca33c9d","target":{"file":"sm-shop/src/main/java/com/salesmanager/shop/filter/XssFilter.java"}},{"signature_version":"v1","source":"https://github.com/shopizer-ecommerce/shopizer/commit/197f8c78c8f673b957e41ca2c823afc654c19271","digest":{"function_hash":"283977033798844079314824230304570134056","length":2894},"signature_type":"Function","deprecated":false,"id":"CVE-2021-33562-9e387bfc","target":{"function":"displayCategory","file":"sm-shop/src/main/java/com/salesmanager/shop/store/controller/category/ShoppingCategoryController.java"}},{"signature_version":"v1","source":"https://github.com/shopizer-ecommerce/shopizer/commit/197f8c78c8f673b957e41ca2c823afc654c19271","digest":{"line_hashes":["100135505418269743310911761774611605371","95537784149499941560177652333015681411","323038267425287307455920545867239791947"],"threshold":0.9},"signature_type":"Line","deprecated":false,"id":"CVE-2021-33562-aae229a4","target":{"file":"sm-shop/src/main/java/com/salesmanager/shop/application/config/ShopApplicationConfiguration.java"}}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-33562.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"}]}