// For flags

CVE-2024-21514

 

Severity Score

8.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed (it does not have to be enabled), it is possible to exploit SQL injection to gain unauthorised access to the backend database. For any site which is vulnerable, any unauthenticated user could exploit this to dump the entire OpenCart database, including customer PII data.

Esto afecta a las versiones del paquete opencart/opencart desde 0.0.0. Se identificó un problema de inyección SQL en la extensión de pago Divido para OpenCart, que se incluye de forma predeterminada en la versión 3.0.3.9. Como usuario anónimo no autenticado, si el módulo de pago Divido está instalado (no es necesario habilitarlo), es posible aprovechar la inyección SQL para obtener acceso no autorizado a la base de datos backend. Para cualquier sitio que sea vulnerable, cualquier usuario no autenticado podría aprovechar esto para volcar toda la base de datos de OpenCart, incluidos los datos de PII del cliente.

*Credits: Calum Hutton
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
Poc
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2023-12-22 CVE Reserved
  • 2024-06-22 CVE Published
  • 2024-06-23 First Exploit
  • 2024-06-25 EPSS Updated
  • 2024-08-01 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Opencart
Search vendor "Opencart"
Opencart
Search vendor "Opencart" for product "Opencart"
3.0.3.9
Search vendor "Opencart" for product "Opencart" and version "3.0.3.9"
-
Affected