CVE-2024-21514

CVSS V2 None CVSS V3 None

Description

This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed (it does not have to be enabled), it is possible to exploit SQL injection to gain unauthorised access to the backend database. For any site which is vulnerable, any unauthenticated user could exploit this to dump the entire OpenCart database, including customer PII data.

Overview

CVE ID
CVE-2024-21514

Assigner
snyk

Vulnerability Status
PUBLISHED

Published Version
2024-06-22T05:00:04.158Z

Last Modified Date
2024-06-22T05:00:04.158Z

Weakness Enumerations

CWE	URL
CWE-89	http://cwe.mitre.org/data/definitions/89.html

References

Reference URL	Reference Tags
https://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7266565
https://github.com/opencart/opencart/blob/3.0.3.9/upload/catalog/model/extension/payment/divido.php%23L114
https://github.com/opencart/opencart/commit/46bd5f5a8056ff9aad0aa7d71729c4cf593d67e2

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-21514
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21514

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 15:28:50				Added to TrackCVE