CVE-2021-47928

Opencart TMD Vendor System 3.x Blind SQL Injection via product route

CVSS 8.8 HIGHEPSS 0.3%CWE-89

Opencart TMD Vendor System 3.x contains a blind SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the product_id parameter. Attackers can craft malicious SQL queries using time-based or content-based blind injection techniques to enumerate usernames, emails, and password reset codes from the oc_user table.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

opencartextensions · Extension TMD Vendor System

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/50493unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.exploit-db.com/exploits/50493 https://www.opencartextensions.in/https://www.opencartextensions.in/opencart-multi-vendor-multi-seller-marketplace https://www.vulncheck.com/advisories/opencart-tmd-vendor-system-3-x-blind-sql-injection-via-product-route