CVE-2020-29471

Vulnerability

Overview

OpenCart version 3.0.3.6 is affected by a stored cross-site scripting (XSS) vulnerability in the Profile Image upload functionality. The root cause is insufficient sanitization of image filenames during the upload process. An authenticated administrator can upload a file with a malicious name containing JavaScript payloads, such as ">.png. The file is stored and rendered without proper escaping, causing the script to execute when any user views the profile page containing the image [1][2].

Exploitation

Exploitation requires an authenticated session with administrative privileges, limiting the attack surface to admin users. The attacker navigates to the profile page, edits the profile image, and uploads a specially crafted file (e.g., payload.png) that contains HTML and JavaScript in its filename. The stored XSS triggers automatically when the profile page is loaded by any user who sees the image. This attack does not require any user interaction beyond viewing the page [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive data displayed in the admin panel. Since the payload is stored, it affects all users who access the compromised profile page, potentially including other administrators or users with appropriate permissions [1][2].

Mitigation

The vendor has not released a public patch specifically for this vulnerability as of the publication date. Users are advised to restrict profile image uploads to trusted administrators only and consider applying input validation or output encoding manually. The vulnerability is documented in public exploit databases, increasing the risk of active exploitation [2].