CVE-2020-29470

Vulnerability

Description

OpenCart 3.0.3.6 is affected by a stored cross-site scripting (XSS) vulnerability in the Subject field of the mail functionality [1]. The application fails to properly sanitize user input in the Subject field, allowing an attacker to inject malicious scripts that are stored and executed when the email is viewed.

Exploitation

An attacker with administrative access to the OpenCart admin panel can exploit this vulnerability by navigating to Marketing → Mail and inserting a crafted payload into the Subject field [2]. When the mail is sent and subsequently opened by any user (e.g., a customer or another admin), the injected script executes in the context of the victim's browser. The provided proof-of-concept payload uses `` to demonstrate script execution [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session, potentially leading to cookie theft, session hijacking, or defacement. Since the attack is stored, the payload persists and affects every user who views the malicious email.

Mitigation

As of the publication date, OpenCart 3.0.3.6 is the affected version. Users should upgrade to a patched release if available. A workaround involves restricting access to the mail functionality to trusted administrators only and implementing manual input validation for the Subject field.