{"id":"CVE-2021-33561","details":"A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration. It is saved in the database. The code is executed for any user of store administration when information is fetched from the backend, e.g., in admin/customers/list.html.","aliases":["GHSA-rcp4-jm2v-mr3f"],"modified":"2026-07-09T01:07:00.283818Z","published":"2021-05-24T23:15:08.750Z","references":[{"type":"FIX","url":"https://github.com/shopizer-ecommerce/shopizer/commit/197f8c78c8f673b957e41ca2c823afc654c19271"},{"type":"FIX","url":"https://github.com/shopizer-ecommerce/shopizer/compare/2.16.0...2.17.0"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/49901"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/shopizer-ecommerce/shopizer","events":[{"introduced":"0"},{"fixed":"47396903b3805080c87057ce057c68d36ef7fb2a"},{"fixed":"197f8c78c8f673b957e41ca2c823afc654c19271"}],"database_specific":{"cpe":"cpe:2.3:a:shopizer:shopizer:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"2.17.0"}],"source":["CPE_RANGE","REFERENCES"]}}],"versions":["2.16.0","2.15.0","v2.14.1","2.14.1","v2.14.0","v2.13.0","2.13.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-33561.json","vanir_signatures_modified":"2026-07-09T01:07:00Z","vanir_signatures":[{"signature_version":"v1","source":"https://github.com/shopizer-ecommerce/shopizer/commit/197f8c78c8f673b957e41ca2c823afc654c19271","target":{"file":"sm-shop/src/main/java/com/salesmanager/shop/store/controller/category/ShoppingCategoryController.java"},"deprecated":false,"digest":{"line_hashes":["22285619678933967751165268830234213452","106628044783959303085066853221350109172","70857240634589952013287244881973002746","291773468555724263604618954544447906577","194760786931620374632553607361319230721","60702978520127307290190241330340296343","312137715999592589032113097114542125398","23299825708746098681211493114765973043","281665582636863512071703663116889915784","287175368020533677612546539070733848828","86273851203980282484097189410504962360"],"threshold":0.9},"id":"CVE-2021-33561-03ca91ae","signature_type":"Line"},{"signature_type":"Function","signature_version":"v1","source":"https://github.com/shopizer-ecommerce/shopizer/commit/197f8c78c8f673b957e41ca2c823afc654c19271","target":{"function":"doFilter","file":"sm-shop/src/main/java/com/salesmanager/shop/filter/XssFilter.java"},"deprecated":false,"digest":{"function_hash":"267681314943511409058316542741060568667","length":100},"id":"CVE-2021-33561-5c225609"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["135390940942894668177515639482093117321","176856125437285893281023856277049689814","8753404996372903394498759202718209671","68560027063347199793409355825377622429","107807252746075540705184971356016445939","121751782599999907191098765684492074711","269483439507296050067923581292082615895","47046884113053335480036781416160011277","190833818704774025957310429079950546796"]},"id":"CVE-2021-33561-5ca33c9d","signature_type":"Line","signature_version":"v1","source":"https://github.com/shopizer-ecommerce/shopizer/commit/197f8c78c8f673b957e41ca2c823afc654c19271","target":{"file":"sm-shop/src/main/java/com/salesmanager/shop/filter/XssFilter.java"}},{"target":{"file":"sm-shop/src/main/java/com/salesmanager/shop/store/controller/category/ShoppingCategoryController.java","function":"displayCategory"},"deprecated":false,"digest":{"function_hash":"283977033798844079314824230304570134056","length":2894},"id":"CVE-2021-33561-9e387bfc","signature_type":"Function","signature_version":"v1","source":"https://github.com/shopizer-ecommerce/shopizer/commit/197f8c78c8f673b957e41ca2c823afc654c19271"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["100135505418269743310911761774611605371","95537784149499941560177652333015681411","323038267425287307455920545867239791947"]},"id":"CVE-2021-33561-aae229a4","signature_type":"Line","signature_version":"v1","source":"https://github.com/shopizer-ecommerce/shopizer/commit/197f8c78c8f673b957e41ca2c823afc654c19271","target":{"file":"sm-shop/src/main/java/com/salesmanager/shop/application/config/ShopApplicationConfiguration.java"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"}]}