Hello Opencart Support team,
I have found one Security Issue in Opencart and I would like to report this issue. This issue exist in Opencart Image Manager.
Please find the attached pdf below for detailed explanation about this security vulnerability.
In case of any query or false positive, please do let me know.
Thanks
Attachments
Attached Security Assessment Report
How you have bypased admin login? 
Upgrade Service | OC 2.3.0.2 PHP 8 | My Custom OC 3.0.3.8 | Buy me a beer
Unless you can provide some more details, as per the forum rules, we won't be able to help you here. It appears you are using a 3rd party OpenCart extension for seller accounts, hence you should also contact the extension author.
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
This issue has already been reported. See https://github.com/opencart/opencart/issues/7810.
They haven't, but it still could be used to bypass admin user permissions. It should really be fixed, otherwise what's the point of having admin user groups with different permissions.
The problem is probably worse for the original poster, as it looks like they are using some sort of marketplace extension.
Run the same test with OpenCart 3.0.3.9 or the 3.0.x.x branch, to see whether this issue is still there. or not.
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
If you are using OpenCart 3.0.x with some sort of seller marketplace extension that uses the admin or parts of the admin (even if it's just reused code), then you should also be aware of other issues, such as the following. https://github.com/opencart/opencart/issues/4571
In fact OpenCart's policy of ignoring these sort of vulnerabilities on the admin side, just because you need admin access, would make it really unsuitable for that type of extension. Even a seller adding a script to a product description that's executed on the catalogue side could be a major problem.
In fact OpenCart's policy of ignoring these sort of vulnerabilities on the admin side, just because you need admin access, would make it really unsuitable for that type of extension. Even a seller adding a script to a product description that's executed on the catalogue side could be a major problem.
@ADD Creative
I think in OC 4 was already fixed
https://github.com/opencart/opencart/bl ... r.php#L377
LE. Or not. Tested now
I think in OC 4 was already fixed
https://github.com/opencart/opencart/bl ... r.php#L377
LE. Or not. Tested now
Upgrade Service | OC 2.3.0.2 PHP 8 | My Custom OC 3.0.3.8 | Buy me a beer
The regular expression is wrong. See the bottom on my comment https://github.com/opencart/opencart/is ... -573800058.xxvirusxx wrote: ↑Sat Oct 28, 2023 5:25 pm@ADD Creative
I think in OC 4 was already fixed
https://github.com/opencart/opencart/bl ... r.php#L377
LE. Or not. Tested now
Who is online
Users browsing this forum: No registered users and 3 guests
