CVE Catalog

CVE-2021-47923

Critical
Published: Translated: NVD NIST

Summary

OpenCart version 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID cookie values that the server accepts and maintains, enabling session takeover and unauthorized access to user accounts.

Risk Assessment

This vulnerability poses a risk of user account takeover, which can lead to data loss and privacy breaches. Organizations should be aware of the potential consequences associated with unauthorized access to accounts.

Recommendation

It is recommended to update OpenCart to the latest version to mitigate this vulnerability. Additionally, implementing session security mechanisms, such as session ID regeneration upon login, is advisable.

Original NVD description (English source)

OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID cookie values that the server accepts and maintains, enabling session takeover and unauthorized access to user accounts.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS