← back
CVE-2021-47946

OpenCart 3.0.3.6 Account Takeover via Cross Site Request Forgery

CVSS 6.9 MEDIUMEPSS 0.2%CWE-352
OpenCart 3.0.3.6 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiting malicious pages. Attackers can craft CSRF payloads that change victim email addresses and account information, then use password reset functionality to gain unauthorized access to compromised accounts.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
Affected products
Opencart · OpenCart
public PoCs found1
cve_referencewww.exploit-db.com/exploits/49407unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.exploit-db.com/exploits/49407https://www.opencart.comhttps://www.opencart.com/index.php?route=cms/downloadhttps://www.vulncheck.com/advisories/opencart-account-takeover-via-cross-site-request-forgery