SQL Injection Vulnerability in OpenCart by OpenCart
CVE-2016-10509

7.2HIGH

Key Information:

Vendor: Opencart
Status: Opencart
Vendor: CVE Published:; 31 August 2017

Summary

An SQL injection vulnerability exists in the updateAmazonOrderTracking function of the OpenCart framework, specifically located in the upload/admin/model/openbay/amazon.php file. This flaw allows remote authenticated administrators to manipulate the carrier (courier_id) parameter in openbay.php, thereby executing arbitrary SQL statements. This issue impacts OpenCart installations prior to version 2.3.0.0, highlighting the importance of keeping software up to date to mitigate potential security risks.

References

https://github.com/opencart/opencart/issues/4114

x_refsource_CONFIRM

https://github.com/opencart/opencart/commit/b95044da6ac60...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Aug 31, 2017