XSS issue on search function.

Hi, i've got a couple of openbugbounty reports outlining an XSS issue on the search function. I'm running 3.0.2.0

Parameter: index.php?route=product/search&search=

Is this something inherent in the opencart 3.0.2.0 release and later patched, or is it possibly coming from the theme i'm using?

As far as I know, OpenCart has no problems with such.
Therefore it could come from your theme if they have their own function for that.

Maybe you share the used theme here (which should always be provided when you read this: Forum Rules ).

Were there any more details?

There is CVE-2025-1746 which mentions an XSS issue with product/search.
https://www.incibe.es/en/incibe-cert/no ... s-opencart

There isn't much in the way of details and It says it's fixed 4.1.0.0 and above, but no mention if it affects 3.0.x.

OSWorX wrote: ↑

Tue Jul 15, 2025 12:48 am

As far as I know, OpenCart has no problems with such.
Therefore it could come from your theme if they have their own function for that.

Maybe you share the used theme here (which should always be provided when you read this: Forum Rules ).

The theme is Journal 2.

ADD Creative wrote: ↑

Tue Jul 15, 2025 1:10 am

Were there any more details?

There is CVE-2025-1746 which mentions an XSS issue with product/search.
https://www.incibe.es/en/incibe-cert/no ... s-opencart

There isn't much in the way of details and It says it's fixed 4.1.0.0 and above, but no mention if it affects 3.0.x.

Yes, details as below. I've omitted the site name for obvious reasons

I am certain it's resolved in OpenCart 3.0.4.0 or later. Besides, you are using the Journal2 framework, which isn't a proper standard OpenCart theme, also it uses its own search function.

adibranch wrote: ↑

Tue Jul 15, 2025 6:53 pm

Yes, details as below. I've omitted the site name for obvious reasons

I wasn't able to recreate the issue on 3.0.2.0 or 3.0.4.1. That suggests the issue is with your theme or an extension you are using.