CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1749 – HTML injection vulnerability in OpenCart
https://notcve.org/view.php?id=CVE-2025-1749
28 Feb 2025 — HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/voucher. Vulnerabilidades de inyección HTML en versiones de OpenCart antes de 4.1.0. Estas vulnerabilidades podrían permitir a un atacante modificar el HTML del navegador de la víctima enviando una URL maliciosa y modificando el nombre del parámetro en /account/voucher. HTML injecti... • https://www.incibe.es/incibe-cert/alerta-temprana/avisos/multiples-vulnerabilidades-en-opencart • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1748 – HTML injection vulnerability in OpenCart
https://notcve.org/view.php?id=CVE-2025-1748
28 Feb 2025 — HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/register. HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/register. • https://www.incibe.es/incibe-cert/alerta-temprana/avisos/multiples-vulnerabilidades-en-opencart • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1747 – HTML injection vulnerability in OpenCart
https://notcve.org/view.php?id=CVE-2025-1747
28 Feb 2025 — HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/login. HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/login. • https://www.incibe.es/incibe-cert/alerta-temprana/avisos/multiples-vulnerabilidades-en-opencart • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1746 – Cross-Site Scripting vulnerability in OpenCart
https://notcve.org/view.php?id=CVE-2025-1746
28 Feb 2025 — Cross-Site Scripting vulnerability in OpenCart versions prior to 4.1.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the search in the /product/search endpoint. This vulnerability could be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. • https://www.incibe.es/incibe-cert/alerta-temprana/avisos/multiples-vulnerabilidades-en-opencart • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 3CVE-2013-1891 – OpenCart 1.5.5.1 - 'FileManager.php' Directory Traversal Arbitrary File Access
https://notcve.org/view.php?id=CVE-2013-1891
24 Jun 2022 — In OpenCart 1.4.7 to 1.5.5.1, implemented anti-traversal code in filemanager.php is ineffective and can be bypassed. En OpenCart versiones 1.4.7 a 1.5.5.1, el código anti-traversal implementado en el archivo filemanager.php es ineficaz y puede ser evitado • https://www.exploit-db.com/exploits/24877 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-13067
https://notcve.org/view.php?id=CVE-2018-13067
02 Jul 2018 — /upload/catalog/controller/account/password.php in OpenCart through 3.0.2.0 has CSRF via the index.php?route=account/password URI to change a user's password. /upload/catalog/controller/account/password.php en OpenCart hasta la versión 3.0.2.0 tiene Cross-Site Request Forgery (CSRF) mediante el URI index.php?route=account/password para cambiar la contraseña de un usuario. • https://whitehatck01.blogspot.com/2018/06/opencart-v3-0-3-0-user-changes-password.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 1CVE-2018-11494
https://notcve.org/view.php?id=CVE-2018-11494
26 May 2018 — The "program extension upload" feature in OpenCart through 3.0.2.0 has a six-step process (upload, install, unzip, move, xml, remove) that allows attackers to execute arbitrary code if the remove step is skipped, because the attacker can discover a secret temporary directory name (containing 10 random digits) via a directory traversal attack involving language_info['code']. La característica "program extension upload" en OpenCart hasta la versión 3.0.2.0 tiene un proceso en seis pasos (subir, instalar, desc... • http://www.bigdiao.cc/2018/05/24/Opencart-v3-0-2-0 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1CVE-2018-11495
https://notcve.org/view.php?id=CVE-2018-11495
26 May 2018 — OpenCart through 3.0.2.0 allows directory traversal in the editDownload function in admin\model\catalog\download.php via admin/index.php?route=catalog/download/edit, related to the download_id. For example, an attacker can download ../../config.php. OpenCart hasta la versión 3.0.2.0 permite el salto de directorio en la función editDownload en admin\model\catalog\download.php mediante admin/index.php? • http://www.bigdiao.cc/2018/05/24/Opencart-v3-0-2-0 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2016-10509
https://notcve.org/view.php?id=CVE-2016-10509
31 Aug 2017 — SQL injection vulnerability in the updateAmazonOrderTracking function in upload/admin/model/openbay/amazon.php in OpenCart before version 2.3.0.0 allows remote authenticated administrators to execute arbitrary SQL commands via a carrier (aka courier_id) parameter to openbay.php. Una vulnerabilidad de inyección SQL en la función updateAmazonOrderTracking en upload/admin/model/openbay/amazon.php en OpenCart en versiones anteriores a la 2.3.0.0 permite que los administradores autenticados remotos ejecuten coma... • https://github.com/opencart/opencart/commit/b95044da6ac608e7239f7949ff21d3b65be68f82 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2015-4671 – OpenCart 2.1.0.1 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2015-4671
07 Jan 2016 — Cross-site scripting (XSS) vulnerability in OpenCart before 2.1.0.2 allows remote attackers to inject arbitrary web script or HTML via the zone_id parameter to index.php. Vulnerabilidad de XSS en OpenCart en versiones anteriores a 2.1.0.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de el parámetro zone_id para index.php. OpenCart version 2.1.0.1 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/135163 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •