CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-28838
https://notcve.org/view.php?id=CVE-2020-28838
11 Dec 2020 — Cross Site Request Forgery (CSRF) in CART option in OpenCart Ltd. Opencart CMS 3.0.3.6 allows attacker to add cart items via Add to cart. Un vulnerabilidad de tipo Cross Site Request Forgery (CSRF) en la opción CART en OpenCart Ltd. Opencart CMS versión 3.0.3.6, permite a un atacante agregar artículos al carrito por medio de Add to cart • https://www.exploit-db.com/exploits/49228 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-13980
https://notcve.org/view.php?id=CVE-2020-13980
09 Jun 2020 — OpenCart 3.0.3.3 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload section because of a lack of entity encoding. NOTE: this issue exists because of an incomplete fix for CVE-2020-10596. The vendor states "this is not a massive issue as you are still required to be logged into the admin. ** EN DISPUTA ** OpenCart versión 3.0.3.3, permite a usuarios autenticados remotos conducir ataques de tipo XSS por medio de un nombre de archivo diseñado en la secció... • https://github.com/opencart/opencart/issues/7974 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 5CVE-2020-10596 – OpenCart 3.0.3.2 - Stored Cross Site Scripting (Authenticated)
https://notcve.org/view.php?id=CVE-2020-10596
17 Mar 2020 — OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload section. OpenCart versión 3.0.3.2, permite a usuarios autenticados remotos conducir ataques de tipo XSS por medio de un nombre de archivo diseñado en la sección de carga de imágenes de usuarios. OpenCart version 3.0.3.2 suffers from a persistent cross site scripting vulnerability. • https://packetstorm.news/files/id/157908 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-15081 – Opencart 3.x - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-15081
15 Aug 2019 — OpenCart 3.x, when the attacker has login access to the admin panel, allows stored XSS within the Source/HTML editing feature of the Categories, Product, and Information pages. OpenCart versiones 3.x, cuando el atacante tiene acceso de inicio de sesión hacia el panel de administración, permite un ataque de tipo XSS almacenado dentro de la funcionalidad de edición de Source/HTML de las páginas Categories, Product, e Information. • https://www.exploit-db.com/exploits/47331 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-13067
https://notcve.org/view.php?id=CVE-2018-13067
02 Jul 2018 — /upload/catalog/controller/account/password.php in OpenCart through 3.0.2.0 has CSRF via the index.php?route=account/password URI to change a user's password. /upload/catalog/controller/account/password.php en OpenCart hasta la versión 3.0.2.0 tiene Cross-Site Request Forgery (CSRF) mediante el URI index.php?route=account/password para cambiar la contraseña de un usuario. • https://whitehatck01.blogspot.com/2018/06/opencart-v3-0-3-0-user-changes-password.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 1CVE-2018-11494
https://notcve.org/view.php?id=CVE-2018-11494
26 May 2018 — The "program extension upload" feature in OpenCart through 3.0.2.0 has a six-step process (upload, install, unzip, move, xml, remove) that allows attackers to execute arbitrary code if the remove step is skipped, because the attacker can discover a secret temporary directory name (containing 10 random digits) via a directory traversal attack involving language_info['code']. La característica "program extension upload" en OpenCart hasta la versión 3.0.2.0 tiene un proceso en seis pasos (subir, instalar, desc... • http://www.bigdiao.cc/2018/05/24/Opencart-v3-0-2-0 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1CVE-2018-11495
https://notcve.org/view.php?id=CVE-2018-11495
26 May 2018 — OpenCart through 3.0.2.0 allows directory traversal in the editDownload function in admin\model\catalog\download.php via admin/index.php?route=catalog/download/edit, related to the download_id. For example, an attacker can download ../../config.php. OpenCart hasta la versión 3.0.2.0 permite el salto de directorio en la función editDownload en admin\model\catalog\download.php mediante admin/index.php? • http://www.bigdiao.cc/2018/05/24/Opencart-v3-0-2-0 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2016-10509
https://notcve.org/view.php?id=CVE-2016-10509
31 Aug 2017 — SQL injection vulnerability in the updateAmazonOrderTracking function in upload/admin/model/openbay/amazon.php in OpenCart before version 2.3.0.0 allows remote authenticated administrators to execute arbitrary SQL commands via a carrier (aka courier_id) parameter to openbay.php. Una vulnerabilidad de inyección SQL en la función updateAmazonOrderTracking en upload/admin/model/openbay/amazon.php en OpenCart en versiones anteriores a la 2.3.0.0 permite que los administradores autenticados remotos ejecuten coma... • https://github.com/opencart/opencart/commit/b95044da6ac608e7239f7949ff21d3b65be68f82 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2015-4671 – OpenCart 2.1.0.1 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2015-4671
07 Jan 2016 — Cross-site scripting (XSS) vulnerability in OpenCart before 2.1.0.2 allows remote attackers to inject arbitrary web script or HTML via the zone_id parameter to index.php. Vulnerabilidad de XSS en OpenCart en versiones anteriores a 2.1.0.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de el parámetro zone_id para index.php. OpenCart version 2.1.0.1 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/135163 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 11%CPEs: 1EXPL: 5CVE-2014-3990 – OpenCart 1.5.6.4 PHP Object Injection
https://notcve.org/view.php?id=CVE-2014-3990
14 Jul 2014 — The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitrary code via a crafted serialized PHP object, related to the quantity parameter in an update request. El método Cart::getProducts en system/library/cart.php en OpenCart, en versiones 1.5.6.4 y anteriores, permite que atacantes remotos lleven a cabo ataques de SSRF (Server-S... • https://packetstorm.news/files/id/127460 • CWE-611: Improper Restriction of XML External Entity Reference CWE-918: Server-Side Request Forgery (SSRF) •