High severity7.2NVD Advisory· Published Aug 31, 2017· Updated May 13, 2026

CVE-2016-10509

Description

SQL injection vulnerability in the updateAmazonOrderTracking function in upload/admin/model/openbay/amazon.php in OpenCart before version 2.3.0.0 allows remote authenticated administrators to execute arbitrary SQL commands via a carrier (aka courier_id) parameter to openbay.php.

Affected products

Opencart/Opencart
cpe:2.3:a:opencart:opencart:*:b1:*:*:*:*:*:*
Range: <=2.3.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/opencart/opencart/commit/b95044da6ac608e7239f7949ff21d3b65be68f82nvdPatchVendor Advisory
github.com/opencart/opencart/issues/4114nvdExploitIssue TrackingVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.468
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000