Web Application Firewall

OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS attacks

Overview :

OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users’ image upload section.
What version of OpenCart are you reporting this for?
Opencart 3.0.3.2
Describe the bug
Stored Cross Site Scripting (XSS) – Authenticated is found in users image upload section in opencart admin panel. Opencart is accepting filenames with arbitrary code in it and not escaping them so the JavaScript get executed. Malicious script in the admin dashboard can be injected permanently and can be used to steal the user’s sensitive information like cookies, keystrokes, account information etc

Server / Test environment (please complete the following information):

Kali Linux 4.19.0
PHP version: 7.1.32
Apache version: 2.4.41
Browser(s) tested with: Mozilla Firefox Latest Build

OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS attacks

Recent Posts

Latest Spring Vulnerabilities Exploitation – CVE-2022-22965

10+ Best Free SSL Certificate Providers 2023

Latest Spring Vulnerabilities Exploitation – CVE-2022-22965

Follow Us

zzcms 2018 template_user.php ml/title code injection

ZyXEL VPN2S 1.12 Web Server path traversal

Zyxel VPN2S 1.12 CGI Program os command injection

Zyxel USG/USG Flex/Zywall/ATP/VPN up to 4.64 Web-based Management Interface improper authentication

ZyXEL GS1900-8 2.60 LLDP Packet cross site scripting

Zynamics BinDiff up to 6 i64 File use after free

Web Application Firewall Solution

CVE-2023-0556 : CONTENTSTUDIO PLUGIN UP TO 1.2.5 ON WORDPRESS CSTU_GET_METADATA AUTHORIZATION

CVE-2022-48108 : D-LINK DIR-878 1.30B08 SUBNETMASK COMMAND INJECTION

CVE-2022-47767 : SOLAR-LOG GATEWAY UP TO 4.2.7/5.1.1 SLCORE BACKDOOR