Description
What version of OpenCart are you reporting this for?
Opencart 3.0.3.2
Describe the bug
Stored Cross Site Scripting (XSS) - Authenticated is found in users image upload section in opencart admin panel. Opencart is accepting filenames with arbitrary code in it and not escaping them so the JavaScript get executed. Malicious script in the admin dashboard can be injected permanently and can be used to steal the user’s sensitive information like cookies, keystrokes, account information etc
To Reproduce
Steps to reproduce the behavior:
-
Go to localhost.com/opencart/admin and login with credentials.
-
Then navigate to System>Users>Users and click on Action button on top right corner.

-
Now in image field , click on image and upload a new image. Before this select any image file and rename with this XSS payload "><svg onload=alert("XSS")> and then upload it as new user profile image.
-
After the upload completes the XSS pop-up executes as shown below and it will gets executed each time someone visits the Image manager section.

Expected behavior
Escaping and sanitation of HTML tags/ Special characters before storing or processing them, so that the code does not executes. Although XSS was strictly filtered on other sections, here we were able to execute it because of filename so filenames, file extensions and headers should be analyzed to prevent XSS and other file upload vulnerabilities.
Screenshots / Screen recordings
Server / Test environment (please complete the following information):
- Kali Linux 4.19.0
- PHP version: 7.1.32
- Apache version: 2.4.41
- Browser(s) tested with: Mozilla Firefox Latest Build