CVE-2024-21519
Description
This affects versions of the package opencart/opencart from 4.0.0.0. An Arbitrary File Creation issue was identified via the database restoration functionality. By injecting PHP code into the database, an attacker with admin privileges can create a backup file with an arbitrary filename (including the extension), within /system/storage/backup. Note: It is less likely for the created file to be available within the web root, as part of the security recommendations for the application suggest moving the storage path outside of the web root.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
opencart/opencartPackagist | >= 4.0.0.0 | — |
Affected products
3- osv-coords2 versions
>= 4.0.0-0+ 1 more
- (no CPE)range: >= 4.0.0-0
- (no CPE)range: >= 4.0.0.0
Patches
Vulnerability mechanics
Root cause
"Improper input validation on the filename parameter in the database restoration/upload functionality allows an attacker to create arbitrary files with controlled names and content."
Attack vector
An attacker with admin privileges can inject PHP code into the database, then use the database restoration functionality to create a backup file with an arbitrary filename (including extension) inside `/system/storage/backup` [ref_id=1][ref_id=3]. The Snyk advisory shows that the `filename` parameter of the `admin/tool/upload.upload` route bypasses the application's default `htmlspecialchars` encoding, allowing unencoded data to be stored in the database [ref_id=3]. Because the filename is attacker-controlled and not validated, the resulting file can contain PHP code and be named with a `.php` extension [CWE-20]. The advisory notes that the storage path is typically outside the web root per security recommendations, making direct remote execution less likely [ref_id=1][ref_id=3].
Affected code
The vulnerability exists in the database restoration functionality of OpenCart. The Snyk advisory identifies the `admin/tool/upload.upload` route as a specific entry point, noting that the `filename` parameter in that route is not sanitized like other user input (which is passed through `htmlspecialchars` at startup) [ref_id=3]. The backup file is created within `/system/storage/backup` [ref_id=1][ref_id=3].
What the fix does
The Snyk advisory states that there is no fixed version for opencart/opencart as of the disclosure date [ref_id=3]. The remediation guidance is implicit in the vulnerability description: input validation must be added to the `filename` parameter (and similar parameters) in the database restoration and upload functionality to prevent arbitrary file creation [CWE-20]. Without a published patch, administrators should ensure the storage directory is moved outside the web root as recommended, and restrict admin panel access to trusted users only [ref_id=1][ref_id=3].
Preconditions
- authAttacker must have admin-level privileges in the OpenCart admin panel
- inputAttacker must be able to inject PHP code into the database (e.g., via the unsanitized filename parameter on the tool/upload.upload route)
- configThe application must be an affected version of opencart/opencart from 4.0.0.0
Reproduction
The Snyk advisory provides a partial PoC showing the HTTP request to the vulnerable route: `POST http://127.0.0.1/opencart/admin/index.php?route=tool/upload.upload&user_token=cd4d0433339a18c414c67e090c96a9f2` with `Content-Type: multipart/form-data` [ref_id=3]. The advisory notes that the `filename` parameter in this route is not passed through `htmlspecialchars` like other user input, allowing unencoded data to be stored in the database [ref_id=3]. Full reproduction steps are not provided beyond this request template.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-7q3h-j95q-3vjhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-21519ghsaADVISORY
- github.com/opencart/opencart/blob/4.0.2.3/upload/admin/controller/tool/upload.php%23L353ghsaWEB
- github.com/opencart/opencart/blob/master/upload/admin/controller/tool/upload.php%23L353ghsaWEB
- security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7266579ghsaWEB
News mentions
0No linked articles in our index yet.