Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03Y3JqLTI0ZzMtZzdoN84AA9S2
SQL injection in opencart
This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed (it does not have to be enabled), it is possible to exploit SQL injection to gain unauthorised access to the backend database. For any site which is vulnerable, any unauthenticated user could exploit this to dump the entire OpenCart database, including customer PII data.
Permalink: https://github.com/advisories/GHSA-7crj-24g3-g7h7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03Y3JqLTI0ZzMtZzdoN84AA9S2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 7.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Identifiers: GHSA-7crj-24g3-g7h7, CVE-2024-21514
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-21514
- https://github.com/opencart/opencart/commit/46bd5f5a8056ff9aad0aa7d71729c4cf593d67e2
- https://github.com/opencart/opencart/blob/3.0.3.9/upload/catalog/model/extension/payment/divido.php%23L114
- https://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7266565
- https://github.com/advisories/GHSA-7crj-24g3-g7h7
Blast Radius: 8.7
Affected Packages
packagist:opencart/opencart
Dependent packages: 12Dependent repositories: 15
Downloads: 34,604 total
Affected Version Ranges: <= 3.0.3.9
No known fixed version
All affected versions: