Web Application Firewall

OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS attacks

Overview :

OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users’ image upload section.
What version of OpenCart are you reporting this for?
Opencart 3.0.3.2
Describe the bug
Stored Cross Site Scripting (XSS) – Authenticated is found in users image upload section in opencart admin panel. Opencart is accepting filenames with arbitrary code in it and not escaping them so the JavaScript get executed. Malicious script in the admin dashboard can be injected permanently and can be used to steal the user’s sensitive information like cookies, keystrokes, account information etc

Server / Test environment (please complete the following information):

Kali Linux 4.19.0
PHP version: 7.1.32
Apache version: 2.4.41
Browser(s) tested with: Mozilla Firefox Latest Build

OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS attacks

Recent Posts

CVE-2023-6817 : LINUX KERNEL UP TO 6.6.X NFT_SET_PIPAPO.C NFT_PIPAPO_WALK USE AFTER FREE

The Dawn Of Cyber Challenges In Healthcare Security | Prophaze

CVE-2023-6975 : MLFLOW PRIOR 2.9.2 PATH TRAVERSAL

Follow Us

zzcms 2018 template_user.php ml/title code injection

ZyXEL VPN2S 1.12 Web Server path traversal

Zyxel VPN2S 1.12 CGI Program os command injection

Zyxel USG/USG Flex/Zywall/ATP/VPN up to 4.64 Web-based Management Interface improper authentication

ZyXEL GS1900-8 2.60 LLDP Packet cross site scripting

Zynamics BinDiff up to 6 i64 File use after free

Web Application Firewall Solution

CVE-2024-53144 : LINUX KERNEL UP TO 6.1.112/6.6.54/6.10.13/6.11.2 HCI_EVENT PRIVILEGE ESCALATION

CVE-2024-50379 : APACHE TOMCAT UP TO 9.0.97/10.1.33/11.0.1 JSP COMPILATION TOCTOU

CVE-2024-10205 : HITACHI OPS CENTER ANALYZER ON LINUX 64-BIT MISSING AUTHENTICATION