Miggo Logo
Miggo Vulnerability Database
CVE-2024-21517

CVE-2024-21517: Cross site scripting in opencart

4.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-21517
GHSA ID
GHSA-qc3q-8rr8-8p5v
EPSS Score
0.0676%
CWE
CWE-79
Published
6/22/2024
Updated
6/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
opencart/opencartcomposer>= 4.0.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of the 'redirect' parameter in two key functions:

  1. index() method directly passes untrusted GET input to the view without encoding
  2. login() method's validation (str_starts_with) can be bypassed through URL encoding tricks Both functions feed user-controlled data into the template which renders it unescaped in login.twig's hidden input. The commit shows removal of html_entity_decode in login() but maintains insufficient output encoding, leaving XSS possible despite partial fixes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts v*rsions o* t** p**k*** op*n**rt/op*n**rt *rom *.*.*.*. * r**l**t** XSS issu* w*s i**nti*i** in t** r**ir**t p*r*m*t*r o* *ustom*r ***ount/lo*in rout*. *n *tt**k*r **n inj**t *r*itr*ry *TML *n* J*v*s*ript into t** p*** r*spons*. *s t*is

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* t** 'r**ir**t' p*r*m*t*r in two k*y *un*tions: *. in**x() m*t*o* *ir**tly p*ss*s untrust** **T input to t** vi*w wit*out *n*o*in* *. lo*in() m*t*o*'s v*li**tion (str_st*rts_wit*) **n ** *yp*ss** t*rou