High severityNVD Advisory· Published Sep 26, 2023· Updated Sep 24, 2024
Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2
CVE-2023-2315
Description
Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2 allows an authenticated user with access/modify privilege on the Log component to empty out arbitrary files on the server
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
opencart/opencartPackagist | >= 4.0.0.0, < 4.0.2.3 | 4.0.2.3 |
Affected products
1Patches
11 file changed · +2 −2
upload/admin/controller/tool/log.php+2 −2 modified@@ -104,7 +104,7 @@ public function download(): void { $this->load->language('tool/log'); if (isset($this->request->get['filename'])) { - $filename = (string)basename($this->request->get['filename']); + $filename = (string)basename(html_entity_decode($this->request->get['filename'], ENT_QUOTES, 'UTF-8')); } else { $filename = ''; } @@ -140,7 +140,7 @@ public function clear(): void { $this->load->language('tool/log'); if (isset($this->request->get['filename'])) { - $filename = (string)$this->request->get['filename']; + $filename = (string)basename(html_entity_decode($this->request->get['filename'], ENT_QUOTES, 'UTF-8')); } else { $filename = ''; }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/opencart/opencart/commit/0a8dd91e385f70e42795380009fd644224c1bc97ghsapatchWEB
- github.com/advisories/GHSA-v4j2-cwmm-xg89ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-2315ghsaADVISORY
- starlabs.sg/advisories/23/23-2315/mitrethird-party-advisory
- github.com/opencart/opencart/releases/tag/4.0.2.3ghsaWEB
- starlabs.sg/advisories/23/23-2315ghsaWEB
News mentions
0No linked articles in our index yet.