Opencart TMD Vendor System Blind SQL Injection Vulnerability (CVE-2021-47928)

hello@craftedsignal.io — Sun, 10 May 2026 13:19:42 +0000

Opencart TMD Vendor System 3.x is susceptible to a blind SQL injection vulnerability (CVE-2021-47928) that enables unauthenticated attackers to extract sensitive database information. The vulnerability stems from insufficient input sanitization of the product_id parameter, allowing injection of malicious SQL code. By leveraging time-based or content-based blind injection techniques, attackers can enumerate usernames, emails, and password reset codes from the oc_user table. This can lead to unauthorized access to user accounts and potential data breaches. This vulnerability was reported to NVD on May 10, 2026.

Attack Chain

An unauthenticated attacker identifies the vulnerable product_id parameter in the Opencart TMD Vendor System 3.x application.
The attacker crafts a malicious HTTP GET request with a SQL injection payload embedded within the product_id parameter.
The application processes the crafted request without proper sanitization, passing the malicious SQL code to the database server.
The database server executes the injected SQL code, performing actions such as querying the oc_user table.
Using blind SQL injection techniques (time-based or content-based), the attacker infers information about the database structure and contents.
The attacker iterates through the database, extracting sensitive information such as usernames, emails, and password reset codes.
The attacker uses the extracted credentials or password reset codes to gain unauthorized access to user accounts.
The attacker may further compromise the system, exfiltrate data, or perform other malicious activities.

Impact

Successful exploitation of this vulnerability (CVE-2021-47928) can lead to complete database compromise, including exposure of user credentials, personally identifiable information (PII), and other sensitive data. Unauthenticated attackers can leverage this access to take over administrator accounts, modify website content, or gain deeper access into the target network. Given the potential for widespread exploitation, organizations using Opencart TMD Vendor System 3.x are at significant risk.

Recommendation

Apply available patches or upgrade to a secure version of Opencart TMD Vendor System to remediate CVE-2021-47928.
Deploy the Sigma rule “Detect CVE-2021-47928 Exploitation — Opencart TMD Vendor System Blind SQL Injection” to identify exploitation attempts in web server logs.
Implement web application firewall (WAF) rules to block requests containing SQL injection payloads targeting the product_id parameter.
Enforce the principle of least privilege on database accounts to limit the impact of successful SQL injection attacks.
Regularly review and audit web application code for SQL injection vulnerabilities using static and dynamic analysis tools.

OpenCart Session Fixation Vulnerability (CVE-2021-47923)

hello@craftedsignal.io — Sun, 10 May 2026 13:18:34 +0000

OpenCart 3.0.3.8 is susceptible to a session fixation vulnerability, identified as CVE-2021-47923. This flaw allows a remote attacker to hijack legitimate user sessions by injecting arbitrary values into the OCSESSID cookie. By setting a malicious OCSESSID value, the attacker can force the server to associate the victim’s session with the attacker-controlled session ID. This vulnerability enables unauthorized access to user accounts without requiring the attacker to know the user’s credentials directly. A successful attack could lead to account takeover, data theft, and modification of user profiles.

Attack Chain

The attacker identifies an OpenCart 3.0.3.8 instance.
The attacker crafts a malicious OCSESSID cookie value.
The attacker injects the malicious OCSESSID cookie value into a victim’s browser session. This can be achieved through various methods, such as phishing or man-in-the-middle attacks.
The victim visits the OpenCart site, and their browser sends the manipulated OCSESSID cookie.
The OpenCart server accepts the attacker-controlled OCSESSID value and associates it with the victim’s session.
The attacker uses the same malicious OCSESSID cookie to access the OpenCart site.
The server recognizes the attacker’s session as the victim’s, granting the attacker unauthorized access.
The attacker can now perform actions as the victim, such as viewing personal information, modifying settings, or making purchases.

Impact

Successful exploitation of this session fixation vulnerability can result in complete account takeover. An attacker can gain unauthorized access to sensitive user data, including personal information, order history, and payment details. This can lead to financial loss for the victim, reputational damage to the OpenCart store, and potential legal liabilities. Given the high CVSS score (9.8), this vulnerability poses a significant risk to OpenCart users.

Recommendation

Upgrade to a patched version of OpenCart that addresses CVE-2021-47923.
Deploy the Sigma rule Detect OpenCart Session Fixation Attempt via OCSESSID Manipulation to monitor for suspicious OCSESSID cookie values.
Implement server-side checks to validate the legitimacy of the OCSESSID cookie.
Enforce strict cookie policies, including setting the HttpOnly and Secure flags for the OCSESSID cookie to prevent client-side script access and transmission over unencrypted connections.

Opencart — CraftedSignal Threat Feed

Opencart TMD Vendor System Blind SQL Injection Vulnerability (CVE-2021-47928)

Attack Chain

Impact

Recommendation

OpenCart Session Fixation Vulnerability (CVE-2021-47923)

Attack Chain

Impact

Recommendation