Lucene search
K

OpenCart 3.0.36 Cross Site Request Forgery

🗓️ 11 Jan 2021 00:00:00Reported by Mahendra PurbiaType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 191 Views

OpenCart 3.0.36 - ATO via Cross Site Request Forger

Code
`# Exploit Title: OpenCart 3.0.36 - ATO via Cross Site Request Forgery  
# Date: 01-09-2021  
# Exploit Author: Mahendra Purbia {Mah3Sec}  
# Vendor Homepage: https://www.opencart.com  
# Software Link: https://www.opencart.com/index.php?route=cms/download  
# Version: OpenCart CMS - 3.0.3.6  
# Tested on: Kali Linux  
  
#Description:  
OpenCart CMS 3.0.3.6 & below versions are vulnerable to Account takeover via CSRF, related to the endpoint /account/edit.  
  
Steps to Reproduce:  
1. create accounts a. victim & b. Attacker (attacker account is just for fetch the request and create a CSRf POC)  
2. Now login with Attacker account and then go to account/edit and change the email and intercept this request in repeater, now create a CSRF POC of that request.  
3. now in that poc change the email and email which is not registered {attacker another email}. Now save this request as a .html file.  
4. now send this POC to the victim. and then the victim opens that file automatically all information is changed like name, email etc.  
5. now attacker access account (with help of forgot password which came on attacker email) and fetch victim all information.  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation