CVE-2014-4965
Shopizer < 1.1.5 - Cross-Site Scripting via Multiple Parameters
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2014-4965. PoCs published by SEC Consult.
AI-analyzed exploit summary This is a detailed technical writeup from SEC Consult Vulnerability Lab describing multiple critical vulnerabilities in Shopizer, including Remote Command Execution via Struts2 OGNL injection, price manipulation, mass assignment, CSRF, and XSS. It provides proof-of-concept URLs and HTTP requests demonstrating the exploits.
Description
Multiple cross-site scripting (XSS) vulnerabilities in Shopizer 1.1.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) customername parameter to central/orders/searchcriteria.action; (2) productname, (3) availability, or (4) status parameter to central/catalog/productlist.action; or unspecified vectors in (5) WebContent/orders/orderlist.jsp.
Exploits (1)
This is a detailed technical writeup from SEC Consult Vulnerability Lab describing multiple critical vulnerabilities in Shopizer, including Remote Command Execution via Struts2 OGNL injection, price manipulation, mass assignment, CSRF, and XSS. It provides proof-of-concept URLs and HTTP requests demonstrating the exploits.