An issue was discovered in Shopizer 3.2.7. The server's CORS implementation reflects the client-supplied Origin header verbatim into Access-Control-Allow-Origin without any whitelist validation, while also enabling Access-Control-Allow-Credentials: true. This allows any malicious origin to make authenticated cross-origin requests and read sensitive responses.
References
Link | Resource |
---|---|
https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250512-02.md | Exploit Third Party Advisory |
Configurations
History
12 Sep 2025, 19:40
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:shopizer:shopizer:3.2.7:*:*:*:*:*:*:* | |
First Time |
Shopizer shopizer
Shopizer |
|
References | () https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250512-02.md - Exploit, Third Party Advisory | |
Summary |
|
22 Aug 2025, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-08-22 16:15
Updated : 2025-09-12 19:40
NVD link : CVE-2025-51605
Mitre link : CVE-2025-51605
CVE.ORG link : CVE-2025-51605
JSON object : View
Products Affected
shopizer
- shopizer
CWE
CWE-346
Origin Validation Error