CVE-2024-21514

HIGH
Published Jun 22, 20242y ago · Modified Jun 17, 20261w ago
8.1 CVSS 3.1
High
Find Similar
Published Jun 22, 2024 2y ago
Last Modified Jun 17, 2026 1w ago

Description

This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed (it does not have to be enabled), it is possible to exploit SQL injection to gain unauthorised access to the backend database. For any site which is vulnerable, any unauthenticated user could exploit this to dump the entire OpenCart database, including customer PII data.

CVSS Details

Base Score
8.1
Exploitability
2.2
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-89 SQL Injection Injection

Affected Products 1

VendorProductVersionRange
opencartopencart3.0.3.9any

References 3

  • github.com https://github.com/opencart/opencart/blob/3.0.3.9/upload/catalog/model/extension/payment/divido.php%23L114
    Product
  • github.com https://github.com/opencart/opencart/commit/46bd5f5a8056ff9aad0aa7d71729c4cf593d67e2
    Patch
  • security.snyk.io https://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7266565
    ExploitPatchThird Party Advisory

Remediation

  • github.com https://github.com/opencart/opencart/commit/46bd5f5a8056ff9aad0aa7d71729c4cf593d67e2
    Patch
  • security.snyk.io https://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7266565
    ExploitPatchThird Party Advisory