CVE-2021-47946 | THREATINT

Description

OpenCart 3.0.36 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiting malicious pages. Attackers can craft CSRF payloads that change victim email addresses and account information, then use password reset functionality to gain unauthorized access to compromised accounts.

PUBLISHED Reserved 2026-02-01 | Published 2026-05-10 | Updated 2026-05-10 | Assigner VulnCheck

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

Cross-Site Request Forgery (CSRF)

Product status

3.0.3.6

affected

Credits

Mahendra Purbia {Mah3Sec} finder

References

www.exploit-db.com/exploits/49407 (ExploitDB-49407) exploit

www.opencart.com (Official Product Homepage) product

www.opencart.com/index.php?route=cms/download (Product Reference) product

www.vulncheck.com/...takeover-via-cross-site-request-forgery (VulnCheck Advisory: OpenCart 3.0.36 Account Takeover via Cross Site Request Forgery) third-party-advisory

cve.org (CVE-2021-47946)

nvd.nist.gov (CVE-2021-47946)

Download JSON