Overview :
OpenCart allows remote authenticated users to conduct XSS attacks via a crafted filename in the users’ image upload section.
What version of OpenCart are you reporting this for?
Describe the bug
Stored Cross Site Scripting (XSS) – Authenticated is found in users image upload section in opencart admin panel. Opencart is accepting filenames with arbitrary code in it and not escaping them so the JavaScript get executed. Malicious script in the admin dashboard can be injected permanently and can be used to steal the user’s sensitive information like cookies, keystrokes, account information etc

Server / Test environment (please complete the following information):

  • Kali Linux 4.19.0
  • PHP version: 7.1.32
  • Apache version: 2.4.41
  • Browser(s) tested with: Mozilla Firefox Latest Build