CVE-2020-13980

An authenticated attacker with access to the OpenCart admin panel navigates to System > Users > Users, edits a user, and clicks the image field to open the Image manager [ref_id=1]. The attacker renames a legitimate image file to include an XSS payload such as `"><svg onload=alert("XSS")>` and uploads it as the user profile image [ref_id=1]. Because the filename is not entity-encoded before being displayed, the JavaScript payload executes in the browser of any admin who visits the Image manager section, leading to stored cross-site scripting [CWE-79].

The vulnerability resides in the admin image upload functionality. When a user uploads an image file, the filename is not sanitized or entity-encoded before being rendered in the Image manager section of the admin panel [ref_id=1]. The issue affects the user profile image upload path under System > Users > Users in the OpenCart admin dashboard.

The advisory does not include a published patch diff. The expected remediation, as described in the bug report, is to escape and sanitize HTML tags and special characters in filenames before storing or displaying them, and to validate file extensions and headers to prevent XSS and other file-upload vulnerabilities [ref_id=1]. The vendor notes that exploitation requires admin-level authentication, which reduces the severity but does not eliminate the need for proper output encoding.

1. Log in to the OpenCart admin panel at `/admin` with valid credentials. 2. Navigate to **System > Users > Users** and click the **Action** button on the top right. 3. In the image field, click the image icon to open the Image manager. 4. Select an image file and rename it to `"><svg onload=alert("XSS")>`. 5. Upload the renamed file as the new user profile image. 6. The XSS payload executes immediately and will execute each time any admin visits the Image manager section [ref_id=1].