OpenCart vulnerable to reflected XSS attack
CVE-2024-21517

6.1MEDIUM

Key Information:

Vendor: OpenCart
Status: Opencart/opencart
Vendor: CVE Published:; 22 June 2024

Summary

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect parameter of customer account/login route. An attacker can inject arbitrary HTML and Javascript into the page response. As this vulnerability is present in the account functionality it could be used to target and attack customers of the OpenCart shop.

Notes:

The fix for this vulnerability is incomplete

Affected Version(s)

opencart/opencart 4.0.0.0

References

https://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7...

https://github.com/opencart/opencart/commit/0fd1ee4b6c943...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jun 22, 2024
Vulnerability Reserved
Dec 22, 2023

Credit

Calum Hutton