CVE-2024-21515

CVSS 3.1 Score 4.2 of 10 (medium)

Details

Published Jun 22, 2024
Updated: Jun 24, 2024
CWE ID 79

Summary

CVE-2024-21515 is a vulnerability affecting versions of the opencart/opencart package from 4.0.0.0. It is a reflected XSS issue found in the filename parameter of the admin tool/log route. An attacker can exploit this vulnerability by tricking a user into clicking on a malicious URL, which allows them to obtain the user's token and execute payloads upon authentication. If the targeted user has admin privileges, this vulnerability could lead to further exploits like Zip Slip or arbitrary file write vulnerabilities in the admin functionality. The vulnerability can only be exploited if the attacker knows the name or path of the admin directory, which is "admin" by default but can be renamed by users. Although a fix has been implemented to remove the redirect control, allowing an attacker to control the post-admin login redirect, it is still possible to exploit this vulnerability partially. The base severity of this vulnerability is rated as MEDIUM with a base score of 4.2 according to CVSS:3.1 standards, and it requires user interaction and network access to exploit it. Affected Products: opencart/opencart versions 4.0.0.0 and above Remediation: Users should rename their admin directory from its default name "admin" to mitigate this vulnerability. Potential Danger: This vulnerability poses a risk of unauthorized access and potential chain exploits that could compromise system integrity and confidentiality if an attacker has admin privileges within the affected organization's opencart/opencart installation.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future

Note: This is just a basic overview providing quick insights into CVE-2024-21515 information. Gain full access to comprehensive CVE data, third party vulnerabilities, compromised credentials and more with Recorded Future
  • Gain complete coverage of your cyber, third party, and physical attack surface
  • Proactively mitigate threats before they turn into costly attacks
  • Make fast, effective, data-driven decisions