Arbitrary Code Execution in OpenCart by Authenticated Users
CVE-2023-47444

8.8HIGH

Key Information:

Vendor: Opencart
Status: Opencart
Vendor: CVE Published:; 15 November 2023

What is CVE-2023-47444?

A security issue has been identified in OpenCart versions 4.0.0.0 to 4.0.2.3 that allows authenticated backend users with specific write privileges to inject untrusted data into critical configuration files, namely config.php and admin/config.php. This flaw potentially enables these users to execute arbitrary code on the server, posing a severe security threat. Proper patches and mitigations are essential to protect installations from unauthorized access and exploitation.

References

https://0xbro.red/disclosures/disclosed-vulnerabilities/o...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 15, 2023
Vulnerability Reserved
Nov 6, 2023

Opencart

What is CVE-2023-47444?

References

CVSS V3.1

Timeline