CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2025-45892 – OpenCart 4.1.0.4 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2025-45892
26 Jun 2025 — OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via the blog editor. The vulnerability arises because input in the blog's editor is not properly sanitized or escaped before being rendered. This allows attackers to inject malicious JavaScript code La versión 4.1.0.4 de OpenCart es vulnerable a un ataque de Cross-Site Scripting (XSS) almacenado a través del editor del blog. Esta vulnerabilidad surge porque la entrada en el editor del blog no se depura ni escapa correctamen... • https://packetstorm.news/files/id/202886 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2025-45893 – OpenCart 4.1.0.4 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2025-45893
26 Jun 2025 — OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via SVG file uploads used in blog posts. The vulnerability arises because SVG files uploaded through the media manager are not properly sanitized. Attackers can craft a malicious SVG file containing embedded JavaScript La versión 4.1.0.4 de OpenCart es vulnerable a un ataque de Cross-Site Scripting (XSS) Almacenado mediante la carga de archivos SVG utilizados en entradas de blog. Esta vulnerabilidad surge porque los archivo... • https://packetstorm.news/files/id/202886 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1749 – HTML injection vulnerability in OpenCart
https://notcve.org/view.php?id=CVE-2025-1749
28 Feb 2025 — HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/voucher. Vulnerabilidades de inyección HTML en versiones de OpenCart antes de 4.1.0. Estas vulnerabilidades podrían permitir a un atacante modificar el HTML del navegador de la víctima enviando una URL maliciosa y modificando el nombre del parámetro en /account/voucher. HTML injecti... • https://www.incibe.es/incibe-cert/alerta-temprana/avisos/multiples-vulnerabilidades-en-opencart • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1748 – HTML injection vulnerability in OpenCart
https://notcve.org/view.php?id=CVE-2025-1748
28 Feb 2025 — HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/register. HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/register. • https://www.incibe.es/incibe-cert/alerta-temprana/avisos/multiples-vulnerabilidades-en-opencart • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1747 – HTML injection vulnerability in OpenCart
https://notcve.org/view.php?id=CVE-2025-1747
28 Feb 2025 — HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/login. HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/login. • https://www.incibe.es/incibe-cert/alerta-temprana/avisos/multiples-vulnerabilidades-en-opencart • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1746 – Cross-Site Scripting vulnerability in OpenCart
https://notcve.org/view.php?id=CVE-2025-1746
28 Feb 2025 — Cross-Site Scripting vulnerability in OpenCart versions prior to 4.1.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the search in the /product/search endpoint. This vulnerability could be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. • https://www.incibe.es/incibe-cert/alerta-temprana/avisos/multiples-vulnerabilidades-en-opencart • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 6%CPEs: 1EXPL: 1CVE-2023-47444
https://notcve.org/view.php?id=CVE-2023-47444
15 Nov 2023 — An issue discovered in OpenCart 4.0.0.0 to 4.0.2.3 allows authenticated backend users having common/security write privilege can write arbitrary untrusted data inside config.php and admin/config.php, resulting in remote code execution on the underlying server. Un problema descubierto en OpenCart 4.0.0.0 a 4.0.2.3 permite que los usuarios backend autenticados que tienen privilegios de escritura comunes/de seguridad puedan escribir datos arbitrarios que no sean de confianza dentro de config.php y admin/config... • https://0xbro.red/disclosures/disclosed-vulnerabilities/opencart-cve-2023-47444 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2315 – Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2
https://notcve.org/view.php?id=CVE-2023-2315
26 Sep 2023 — Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2 allows an authenticated user with access/modify privilege on the Log component to empty out arbitrary files on the server Path Traversal en las versiones 4.0.0.0 a 4.0.2.2 de OpenCart permite a un usuario autenticado con privilegios de acceso/modificación en el componente de Log vaciar archivos arbitrarios en el servidor • https://github.com/opencart/opencart/commit/0a8dd91e385f70e42795380009fd644224c1bc97 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2023-40834 – OpenCart CMS 4.0.2.2 Brute Force
https://notcve.org/view.php?id=CVE-2023-40834
06 Sep 2023 — OpenCart CMS v4.0.2.2 was discovered to lack a protective mechanism on its login page against excessive login attempts, allowing unauthenticated attackers to gain access to the application via a brute force attack to the password parameter. OpenCart v4.0.2.2 es vulnerable al Ataque de Fuerza bruta. OpenCart CMS version 4.0.2.2 suffers from a login brute forcing vulnerability. • https://packetstorm.news/files/id/174525 • CWE-307: Improper Restriction of Excessive Authentication Attempts •