CVE-2018-1000640
Description
OpenCart-Overclocked <=1.11.1 has a reflected XSS vulnerability via unsanitized 'token' GET parameter in the OpenBay admin template.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenCart-Overclocked <=1.11.1 has a reflected XSS vulnerability via unsanitized 'token' GET parameter in the OpenBay admin template.
Vulnerability
OpenCart-Overclocked version <=1.11.1 contains a reflected Cross-Site Scripting (XSS) vulnerability in the admin OpenBay template. The JavaScript function on line 95 of upload/admin/view/template/extension/openbay.tpl directly echoes the token GET parameter without sanitization: var token = "<?php echo $_GET['token']; ?>" [1][4]. This allows an attacker to inject arbitrary JavaScript code through a crafted token value.
Exploitation
The attacker can exploit this by crafting a malicious URL containing a token parameter with JavaScript code, then coercing a victim (such as an administrator) to visit that link [4]. No authentication is required for the initial request, though the template is in the admin panel. User interaction (clicking the link) is necessary for successful exploitation [1][4].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser within the admin session context. This can lead to unauthorised actions (such as modifying store settings), access to sensitive data (including session cookies), stealing session information, or denial of service [1][4].
Mitigation
No official patch or fixed version has been publicly released by the project maintainer; the repository was archived in December 2023 and is read-only [2]. As a workaround, administrators should sanitize the token parameter in the OpenBay template, enforce HTTPS, and consider implementing a Content Security Policy (CSP). The project appears to be end-of-life [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
villagedefrance/opencart-overclockedPackagist | <= 1.11.1 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User input is not properly sanitized before being included in JavaScript code within a template."
Attack vector
An attacker can exploit this vulnerability by passing malicious input through a GET parameter. This unsanitized input is then directly embedded into JavaScript functions within a template. The vulnerability allows for unauthorized actions, data access, session hijacking, and denial of service attacks [CWE-79].
Affected code
The vulnerability exists in user input entered unsanitized within JS functions in the template. The specific files and functions are not detailed in the provided information.
What the fix does
The patch is not available in the provided information. The advisory does not specify the exact fix, but it is implied that the vulnerability is addressed by properly sanitizing user input before it is rendered within JavaScript code in templates. This prevents the execution of arbitrary scripts.
Preconditions
- inputMalicious input passed in GET parameter.
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-cr3q-658v-qv3xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000640ghsaADVISORY
- 0dd.zone/2018/08/05/OpenCart-Overclocked-Reflected-XSSghsaWEB
- 0dd.zone/2018/08/05/OpenCart-Overclocked-Reflected-XSS/mitrex_refsource_MISC
- github.com/418sec/OpenCart-Overclocked/pull/1ghsaWEB
- github.com/villagedefrance/OpenCart-Overclocked/issues/190ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.