CVE-2024-21518

HIGH

Opencart - Path Traversal

Title source: rule

Description

This affects versions of the package opencart/opencart from 4.0.0.0. A Zip Slip issue was identified via the marketplace installer due to improper sanitization of the target path, allowing files within a malicious archive to traverse the filesystem and be extracted to arbitrary locations. An attacker can create arbitrary files in the web root of the application and overwrite other existing files by exploiting this vulnerability.

References (2)

[Patch] https://github.com/opencart/opencart/blob/04c1724370ab02967d3b4f668c1b67771ecf1ff4/upload/admin/controller/marketplace/installer.php%23L383C1-L383C1

[Exploit, Third Party Advisory] https://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7266578

Scores

CVSS v3 7.2

EPSS 0.0210

EPSS Percentile 84.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-29 CWE-290 CWE-22

Status published

Products (2)

opencart/opencart 4.0.0.0

opencart/opencart 4.0.0.0Packagist

Published Jun 22, 2024

Tracked Since Feb 18, 2026