CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2020-20491
https://notcve.org/view.php?id=CVE-2020-20491
SQL injection vulnerability in OpenCart v.2.2.00 thru 3.0.3.2 allows a remote attacker to execute arbitrary code via the Fba plugin function in upload/admin/index.php. • https://github.com/opencart/opencart/issues/7612 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1CVE-2021-37823
https://notcve.org/view.php?id=CVE-2021-37823
OpenCart 3.0.3.7 allows users to obtain database information or read server files through SQL injection in the background. OpenCart 3.0.3.7 permite a los usuarios obtener información de la base de datos o leer archivos del servidor mediante inyección SQL en segundo plano. • https://medium.com/%40nowczj/sql-injection-exists-in-the-background-of-opencart-d41b5c58e99e • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 1%CPEs: 2EXPL: 3CVE-2013-1891 – OpenCart 1.5.5.1 - 'FileManager.php' Directory Traversal Arbitrary File Access
https://notcve.org/view.php?id=CVE-2013-1891
In OpenCart 1.4.7 to 1.5.5.1, implemented anti-traversal code in filemanager.php is ineffective and can be bypassed. En OpenCart versiones 1.4.7 a 1.5.5.1, el código anti-traversal implementado en el archivo filemanager.php es ineficaz y puede ser evitado • https://www.exploit-db.com/exploits/24877 http://www.waraxe.us/advisory-98.html https://seclists.org/fulldisclosure/2013/Mar/176 https://www.openwall.com/lists/oss-security/2013/03/24/1 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-29470 – OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-29470
OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Subject field of mail. This vulnerability can allow an attacker to inject the XSS payload in the Subject field of the mail and each time any user will open that mail of the website, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload. OpenCart versión 3.0.3.6, está afectado por una vulnerabilidad de tipo cross-site scripting (XSS) en el campo Subject del correo. Esta vulnerabilidad puede permitir a un atacante inyectar una carga útil de tipo XSS en el campo Subject del correo y cada vez que un usuario abre ese correo del sitio web, el XSS se desencadena y el atacante puede robar la cookie de acuerdo con la carga útil diseñada • https://www.exploit-db.com/exploits/49099 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-29471 – OpenCart 3.0.3.6 - 'Profile Image' Stored Cross-Site Scripting (Authenticated)
https://notcve.org/view.php?id=CVE-2020-29471
OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Profile Image. An admin can upload a profile image as a malicious code using JavaScript. Whenever anyone will see the profile picture, the code will execute and XSS will trigger. OpenCart versión 3.0.3.6, está afectado por una vulnerabilidad de tipo cross-site scripting (XSS) en la Imagen de Perfil. Un administrador puede cargar una imagen de perfil como un código malicioso usando JavaScript. • https://www.exploit-db.com/exploits/49098 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •