CVE-2020-10596

Vulnerability

Overview

CVE-2020-10596 describes a stored cross-site scripting (XSS) vulnerability in OpenCart 3.0.3.2. The root cause is the lack of proper sanitization of filenames during image upload in the admin panel's user management section. When an authenticated user uploads an image, the filename is stored and later rendered without escaping HTML or JavaScript content, allowing arbitrary script execution [3][4].

Exploitation

An attacker with valid admin credentials can exploit this by renaming an image file to include an XSS payload, such as ">, and uploading it as a user profile image. The payload executes each time any user visits the Image Manager section, making it a persistent threat [4]. No additional privileges beyond standard user access are required.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the admin dashboard. This can lead to theft of session cookies, keystroke logging, account takeover, or further compromise of the OpenCart installation [4].

Mitigation

As of the publication date, no official patch was available. The vendor was notified via the GitHub issue tracker [4]. Administrators should restrict image upload permissions and consider input validation on filenames until a fix is applied.