Cross-Site Scripting Vulnerability in OpenCart by OpenCart
CVE-2025-1746

6.1MEDIUM

Key Information:

Vendor: Opencart
Status: Opencart
Vendor: CVE Published:; 28 February 2025

Summary

A Cross-Site Scripting vulnerability exists in OpenCart versions prior to 4.1.0. This flaw enables attackers to execute JavaScript in the browser of a user through a malicious URL targeting the /product/search endpoint. Exploiting this vulnerability allows unauthorized access to sensitive user data, including session cookies, and can facilitate actions on behalf of the logged-in user, potentially leading to further compromises.

Affected Version(s)

OpenCart 0 < 4.1.0

References

https://www.incibe.es/incibe-cert/alerta-temprana/avisos/...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 28, 2025
Vulnerability Reserved
Feb 27, 2025

Credit

Gonzalo Aguilar García (6h4ack)