Server-Side Template Injection in OpenCart Affecting Version 4.0.2.3
CVE-2024-36694

7.2HIGH

Key Information:

Vendor: OpenCart
Status: Opencart
Vendor: CVE Published:; 18 December 2024

What is CVE-2024-36694?

OpenCart version 4.0.2.3 contains a vulnerability that allows attackers to exploit Server-Side Template Injection (SSTI) through its Theme Editor Function. This vulnerability may enable unauthorized users to execute arbitrary code on the server, potentially compromising sensitive information and leading to further attacks. Mitigation measures should be taken to patch the affected version and secure the system against such vulnerabilities.

References

https://github.com/opencart/opencart/releases/tag/4.0.2.3

https://github.com/A3h1nt/CVEs/blob/main/OpenCart/Readme.md

https://github.com/opencart/opencart/issues/13863

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 18, 2024