Server-Side Template Injection in OpenCart Affecting Version 4.0.2.3
CVE-2024-36694

7.2HIGH

Key Information:

Vendor
OpenCart
Status
Opencart
Vendor
CVE Published:
18 December 2024

Summary

OpenCart version 4.0.2.3 contains a vulnerability that allows attackers to exploit Server-Side Template Injection (SSTI) through its Theme Editor Function. This vulnerability may enable unauthorized users to execute arbitrary code on the server, potentially compromising sensitive information and leading to further attacks. Mitigation measures should be taken to patch the affected version and secure the system against such vulnerabilities.

References

https://github.com/opencart/opencart/releases/tag/4.0.2.3
https://github.com/A3h1nt/CVEs/blob/main/OpenCart/Readme.md
https://github.com/opencart/opencart/issues/13863

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.
CVE-2024-36694 : Server-Side Template Injection in OpenCart Affecting Version 4.0.2.3 | SecurityVulnerability.io