Arbitrary Code Execution in OpenCart by Authenticated Users
CVE-2023-47444

8.8HIGH

Key Information:

Vendor: Opencart
Status: Opencart
Vendor: CVE Published:; 15 November 2023

Summary

A security issue has been identified in OpenCart versions 4.0.0.0 to 4.0.2.3 that allows authenticated backend users with specific write privileges to inject untrusted data into critical configuration files, namely config.php and admin/config.php. This flaw potentially enables these users to execute arbitrary code on the server, posing a severe security threat. Proper patches and mitigations are essential to protect installations from unauthorized access and exploitation.

References

https://0xbro.red/disclosures/disclosed-vulnerabilities/o...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 15, 2023
Vulnerability Reserved
Nov 6, 2023