OpenCart Community

OpenCart Community Forum - Discuss shopping cart and e-commerce solutions.
https://forum.opencart.com/

Security Fix for Puny-Code, 0-Click Account Takeover [SOLVED]

https://forum.opencart.com/viewtopic.php?t=235765

Page 1 of 1

Security Fix for Puny-Code, 0-Click Account Takeover [SOLVED]

Posted: Tue Jun 17, 2025 5:05 pm
by faca5
Hello.

Based on the most recently available public information, a new method has been discovered that allows unauthorized access to a user's account.

Because of this, we reported the issue to the admin via PM and prepared a fix for older versions (2.x, 3.x).

More information can be found on link below + path for fix security issue:
https://www.opencart.com/index.php?rout ... n_id=47535

Re: Security Fix for Puny-Code, 0-Click Account Takeover

Posted: Tue Jun 17, 2025 5:33 pm
by JNeuhoff
If there is a security issue, why not publish it, and provide a fix via github, to improve the OpenCart core code?

Re: Security Fix for Puny-Code, 0-Click Account Takeover

Posted: Tue Jun 17, 2025 5:49 pm
by ADD Creative
Looks like the issue I reported in February last year.

Has been patched in 3.0.4.0 and above.
https://github.com/opencart/opencart/pull/13710
https://github.com/opencart/opencart/pull/13714

Re: Security Fix for Puny-Code, 0-Click Account Takeover

Posted: Tue Jun 17, 2025 5:58 pm
by ADD Creative
Also patched in version 4.1.0.1 and above.
https://github.com/opencart/opencart/co ... 88dfd597cd

Re: Security Fix for Puny-Code, 0-Click Account Takeover

Posted: Tue Jun 17, 2025 8:55 pm
by faca5
Excellent.

I have tested on 3.0.3.2. Didn't noted patch already exists in 3.0.4.0 and 4.1.0.1.

Thank you!
All times are UTC+08:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/