CVE-2025-51605

An issue was discovered in Shopizer 3.2.7. The server's CORS implementation reflects the client-supplied Origin header verbatim into Access-Control-Allow-Origin without any whitelist validation, while also enabling Access-Control-Allow-Credentials: true. This allows any malicious origin to make authenticated cross-origin requests and read sensitive responses.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:shopizer:shopizer:3.2.7:*:*:*:*:*:*:*

History

12 Sep 2025, 19:40

Type Values Removed Values Added
CPE cpe:2.3:a:shopizer:shopizer:3.2.7:*:*:*:*:*:*:*
First Time Shopizer shopizer
Shopizer
References () https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250512-02.md - () https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250512-02.md - Exploit, Third Party Advisory
Summary
  • (es) Se detectó un problema en Shopizer 3.2.7. La implementación CORS del servidor refleja textualmente el encabezado Origin proporcionado por el cliente en Access-Control-Allow-Origin sin ninguna validación de lista blanca, a la vez que habilita Access-Control-Allow-Credentials: true. Esto permite que cualquier origen malicioso realice solicitudes autenticadas entre orígenes y lea respuestas confidenciales.

22 Aug 2025, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-08-22 16:15

Updated : 2025-09-12 19:40


NVD link : CVE-2025-51605

Mitre link : CVE-2025-51605

CVE.ORG link : CVE-2025-51605


JSON object : View

Products Affected

shopizer

  • shopizer
CWE
CWE-346

Origin Validation Error