GHSA-HR9V-R8R2-HG7J

Vulnerability from github – Published: 2026-06-05 20:35 – Updated: 2026-06-05 20:35
VLAI
Summary
Shopper: Multiple data integrity and disclosure issues in admin Livewire components
Details

Impact

Three related defects on admin Livewire components allowed data tampering, sensitive data disclosure, and stored XSS:

  • IDOR via unlocked properties. Several Livewire components in the admin panel exposed Eloquent model identifiers as public properties without the #[Locked] attribute. An authenticated user could rewrite the wire payload from the browser to target any record id, bypassing the implicit scoping enforced by the page routing.
  • Sensitive data echoed back through Hidden form field. Customers/Create::store() re-passed a Hidden _password form field straight into the create payload. The plaintext password was rendered into the HTML and transported through the Livewire snapshot in clear text, exposing credentials in the page DOM and in any logging that captures Livewire payloads.
  • Stored XSS on product barcode. The product barcode field was rendered through DNS1DFacade::getBarcodeHTML() with {!! !!}. An attacker with edit_products permission could persist malicious payload in the barcode field that would execute in the browser of any admin user viewing that product, enabling session theft and privileged-action chaining.

Patches

Fixed in v2.8.0:

  • All vulnerable Livewire model identifiers are now marked #[Locked].
  • Customers/Create no longer round-trips the password through a Hidden form field; the plaintext password is hashed at action boundary and never returned to the client.
  • The product barcode rendering now escapes the value before passing it to the barcode generator and the output is wrapped in an <svg> context that does not interpret event handlers.

Upgrade via:

composer require shopper/admin:^2.8

Workarounds

None. Upgrade to v2.8.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "shopper/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47743"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-639",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-05T20:35:14Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Impact\n\nThree related defects on admin Livewire components allowed data tampering, sensitive data disclosure, and stored XSS:\n\n- **IDOR via unlocked properties.** Several Livewire components in the admin panel exposed Eloquent model identifiers as public properties without the `#[Locked]` attribute. An authenticated user could rewrite the wire payload from the browser to target any record id, bypassing the implicit scoping enforced by the page routing.\n- **Sensitive data echoed back through Hidden form field.** `Customers/Create::store()` re-passed a `Hidden` `_password` form field straight into the create payload. The plaintext password was rendered into the HTML and transported through the Livewire snapshot in clear text, exposing credentials in the page DOM and in any logging that captures Livewire payloads.\n- **Stored XSS on product barcode.** The product barcode field was rendered through `DNS1DFacade::getBarcodeHTML()` with `{!! !!}`. An attacker with `edit_products` permission could persist malicious payload in the barcode field that would execute in the browser of any admin user viewing that product, enabling session theft and privileged-action chaining.\n\n## Patches\n\nFixed in `v2.8.0`:\n\n- All vulnerable Livewire model identifiers are now marked `#[Locked]`.\n- `Customers/Create` no longer round-trips the password through a Hidden form field; the plaintext password is hashed at action boundary and never returned to the client.\n- The product barcode rendering now escapes the value before passing it to the barcode generator and the output is wrapped in an `\u003csvg\u003e` context that does not interpret event handlers.\n\nUpgrade via:\n\n```bash\ncomposer require shopper/admin:^2.8\n```\n\n## Workarounds\n\nNone. Upgrade to `v2.8.0`.",
  "id": "GHSA-hr9v-r8r2-hg7j",
  "modified": "2026-06-05T20:35:14Z",
  "published": "2026-06-05T20:35:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shopperlabs/shopper/security/advisories/GHSA-hr9v-r8r2-hg7j"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopperlabs/shopper/pull/511"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shopperlabs/shopper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Shopper: Multiple data integrity and disclosure issues in admin Livewire components"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…