Marek Toth

**Name of the Vulnerable Software and Affected Versions** Shopizer versions prior to 2.17.0 **Description** A stored cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `customer name` variable in various forms of store administration. The injected code is saved in the database and executed when information is fetched from the backend for any user of store administration, for example, in the "admin/customers/list.html" endpoint. **Recommendations** For versions prior to 2.17.0, update to version 2.17.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the store administration forms that use the `customer name` variable to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Shopizer versions prior to 2.17.0 **Description** A reflected cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `ref` parameter to a page about an arbitrary product, for example, a "product/insert-product-name-here.html/ref=" URL. This enables attackers to execute malicious scripts on the client-side. **Recommendations** For versions prior to 2.17.0, update to version 2.17.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `ref` parameter in the affected URL to minimize the risk of exploitation.