CVE-2021-47928

Vulnerability

Overview

CVE-2021-47928 describes a blind SQL injection vulnerability in the OpenCart TMD Vendor System extension version 3.x. The flaw resides in the product_id parameter, which is not properly sanitized before being used in SQL queries. This allows an unauthenticated attacker to inject arbitrary SQL code, leveraging time-based or content-based blind injection techniques to extract sensitive data from the database [1][2][4].

Exploitation

The attack is performed over HTTP by sending crafted requests to the product route with a malicious product_id value. No authentication is required, and the attacker does not need any special network position beyond being able to reach the vulnerable OpenCart instance. The blind nature of the injection means the attacker must observe response timing or content differences to infer the results of the injected queries [2][4].

Impact

Successful exploitation enables an attacker to enumerate usernames, email addresses, and password reset codes from the oc_user table. This information can be used to compromise user accounts, potentially leading to privilege escalation or further attacks against the application and its users [1][2][4].

Mitigation

As of the publication date, the vendor has not released a patch for this vulnerability. Users of the TMD Vendor System 3.x are advised to apply input validation and parameterized queries as a workaround, or consider disabling the vulnerable functionality until a fix is available. The vulnerability has been publicly disclosed and an exploit is available, increasing the risk of active exploitation [2][4].