CVE-2014-4965

Shopizer < 1.1.5 - Cross-Site Scripting via Multiple Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-4965. PoCs published by SEC Consult.

AI-analyzed exploit summary This is a detailed technical writeup from SEC Consult Vulnerability Lab describing multiple critical vulnerabilities in Shopizer, including Remote Command Execution via Struts2 OGNL injection, price manipulation, mass assignment, CSRF, and XSS. It provides proof-of-concept URLs and HTTP requests demonstrating the exploits.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Shopizer 1.1.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) customername parameter to central/orders/searchcriteria.action; (2) productname, (3) availability, or (4) status parameter to central/catalog/productlist.action; or unspecified vectors in (5) WebContent/orders/orderlist.jsp.

Exploits (1)

exploitdb WRITEUP
by SEC Consult · textwebappsphp
https://www.exploit-db.com/exploits/34062

This is a detailed technical writeup from SEC Consult Vulnerability Lab describing multiple critical vulnerabilities in Shopizer, including Remote Command Execution via Struts2 OGNL injection, price manipulation, mass assignment, CSRF, and XSS. It provides proof-of-concept URLs and HTTP requests demonstrating the exploits.

Classification
Writeup 100%
Attack Type
Rce | Auth Bypass | Other
Complexity
Moderate
Reliability
Reliable
Target: Shopizer 1.1.5 and below
No auth needed
Prerequisites: Network access to the Shopizer application · Struts2 OGNL injection knowledge for RCE
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/532726/100/0/threaded
Exploit mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Jul/38
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/94465

Scores

EPSS 0.0325
EPSS Percentile 86.8%

Details

CWE
CWE-79
Status published
Products (1)
shopizer/shopizer < 1.1.5
Published Jul 15, 2014
Tracked Since Feb 18, 2026