Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Store XSS Vulnerability in Opencart 3.0.3.3 - Upload Images #7974

Closed
th3lawbreaker opened this issue May 31, 2020 · 5 comments
Closed

Store XSS Vulnerability in Opencart 3.0.3.3 - Upload Images #7974

th3lawbreaker opened this issue May 31, 2020 · 5 comments

Comments

@th3lawbreaker
Copy link

th3lawbreaker commented May 31, 2020

Spam

@ADDCreative
Copy link
Contributor

Duplicate of #7810.

@danielkerr
Copy link
Member

danielkerr commented Jun 1, 2020

im closing because its a duplicate/ this is not a massive issue as u are still requirred to be logged into the admin

@opencart opencart deleted a comment from huntr-helper Jul 29, 2020
ADDCreative added a commit to ADDCreative/opencart that referenced this issue Jul 29, 2020
@NulAsh
Copy link

NulAsh commented Aug 2, 2021

im closing because its a duplicate/ this is not a massive issue as u are still requirred to be logged into the admin

Opencart allows multiple admins (employees) with different privileges. For example, main admin should have access to everything, designer have access to configuration of themes, logistician have access to this, salesman to that, you got the point, I hope.
Only main admin should have access to uploading modules, because if you can upload modules, you can do anything on this website, you can totally control it.

Main vulnerability of any website is people operating it. We can't expect them all to be security experts. Their computers can be hacked or infected with backdoors, their passwords can be written on stickers attached to monitor etc. That's why there should not be possible privilege escalation. When hacker somehow get password of salesman, and then, using vulnerability, gain privileges of main admin.

@danielkerr
Copy link
Member

danielkerr commented Aug 3, 2021

your taking crap u dont know about. opencart can restrict every page base on the user group that the user is part of.

@ADDCreative
Copy link
Contributor

The user groups set the restrictions for user. However, as one example. A restricted user that only had access to catalog/product and common/filemanager could use this to create a payload, that if a full administrator triggers, could allow the restricted user to move themselves into another user group. Therefore gaining full permissions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants