CVE-2022-23061: Authorization Bypass Through User-Controlled Key

May 1, 2022 (updated May 9, 2022)

In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin (although this cannot happen according to the documentation) via Insecure Direct Object Reference (IDOR) vulnerability.

References

github.com/shopizer-ecommerce/shopizer/commit/6b9f1ecd303b3b724d96bd08095c1a751dcc287e
nvd.nist.gov/vuln/detail/CVE-2022-23061
www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23061

Detect and mitigate CVE-2022-23061 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →