CVE-2021-47923
CriticalSummary
OpenCart version 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID cookie values that the server accepts and maintains, enabling session takeover and unauthorized access to user accounts.
Risk Assessment
This vulnerability poses a risk of user account takeover, which can lead to data loss and privacy breaches. Organizations should be aware of the potential consequences associated with unauthorized access to accounts.
Recommendation
It is recommended to update OpenCart to the latest version to mitigate this vulnerability. Additionally, implementing session security mechanisms, such as session ID regeneration upon login, is advisable.
Original NVD description (English source)
OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID cookie values that the server accepts and maintains, enabling session takeover and unauthorized access to user accounts.

