Opencart/opencart

This hub aggregates every CVE we track for Opencart/opencart, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Opencart/opencart.

• CVE-2024-36694OpenCart 4.0.2.3 is vulnerable to Server-Side Template Injection (SSTI) via the Theme Editor Function.7.2Dec 18, 2024
• CVE-2024-21516This affects versions of the package opencart/opencart from 4.0.0.0 and before 4.1.0.0. A reflected XSS issue was identified in the directory parameter of admin common/filemanager.list route. An at...4.2Jun 22, 2024
• CVE-2024-21519This affects versions of the package opencart/opencart from 4.0.0.0. An Arbitrary File Creation issue was identified via the database restoration functionality. By injecting PHP code into the datab...6.6Jun 22, 2024
• CVE-2024-21514This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3....7.4Jun 22, 2024
• CVE-2024-21518This affects versions of the package opencart/opencart from 4.0.0.0. A Zip Slip issue was identified via the marketplace installer due to improper sanitization of the target path, allowing files wi...7.2Jun 22, 2024
• CVE-2024-21517This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect parameter of customer account/login route. An attacker can inject arbitrary...4.2Jun 22, 2024
• CVE-2024-21515This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the filename parameter of the admin tool/log route. An attacker could obtain a user's to...4.2Jun 22, 2024
• CVE-2023-2315Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.28.1Sep 26, 2023
• CVE-2021-37823OpenCart 3.0.3.7 allows users to obtain database information or read server files through SQL injection in the background.4.9Nov 3, 2022
• CVE-2020-29470OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Subject field of mail. This vulnerability can allow an attacker to inject the XSS payload in the Subject field of the mail and each...4.8Dec 29, 2020
• CVE-2020-29471OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Profile Image. An admin can upload a profile image as a malicious code using JavaScript. Whenever anyone will see the profile pictu...4.8Dec 29, 2020
• CVE-2020-28838Cross Site Request Forgery (CSRF) in CART option in OpenCart Ltd. Opencart CMS 3.0.3.6 allows attacker to add cart items via Add to cart.3.5Dec 11, 2020
• CVE-2020-13980OpenCart 3.0.3.3 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload section because of a lack of entity encoding. NOTE: this issue exists bec...4.8Jun 9, 2020
• CVE-2020-10596OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload section.5.4Mar 17, 2020
• CVE-2018-13067/upload/catalog/controller/account/password.php in OpenCart through 3.0.2.0 has CSRF via the index.php?route=account/password URI to change a user's password.8.8Jul 2, 2018