Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in OpenCart

Posted date 27/02/2025
Identificador
INCIBE-2025-0108
Importance
3 - Medium
Affected Resources

OpenCart, versions prior to 4.1.0.

Description

INCIBE has coordinated the publication of 4 vulnerabilities of medium severity, affecting OpenCart, an open source eCommerce platform, which have been discovered by Gonzalo Aguilar García (6h4ack).

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2025-1746: CVSS v3.1: 6.1 | CVSS AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79
  • CVE-2025-1747 to CVE-2025-1749: CVSS v3.1: 4.7 | CVSS AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N | CWE-79
Solution

The vulnerability has been fixed by the OpenCart team in version 4.1.0.

Detail

Las vulnerabilidades son:

  • CVE-2025-1746: Cross-Site Scripting vulnerability in OpenCart versions prior to 4.1.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the search in the /product/search endpoint. This vulnerability could be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
  • Multiple HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL. The list of assigned parameters and identifiers is as follows:
    • CVE-2025-1747: by modifying the parameter name in /account/login.
    • CVE-2025-1748: by modifying the parameter name in /account/register.
    • CVE-2025-1749: by modifying the parameter name in /account/voucher.
References list
OpenCart - Vendor website
Etiquetas