CVE-2024-36694 |
[opencart/opencart] Duplicate Advisory: openCart Server-Side Template Injection (SSTI) vulnerability
Description: Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-xrh7-2gfq-4rcq. This link is maintained to preserve external references.
Original Description
OpenCart 4.0.2.3 is vulnerable to Server-Side Template Injection (SSTI) via the Theme Editor Function.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-36694
https://github.com/opencart/opencart/issues/13863
https://github.com/A3h1nt/CVEs/blob/main/OpenCart/Readme.md
https://github.com/opencart/opencart/releases/tag/4.0.2.3
https://medium.com/@pawarit.sanguanpang/opencart-v4-0-2-3-server-side-template-injection-0b173a3bdcf9
https://github.com/advisories/GHSA-j2v2-3784-vr44
EPSS Score: 0.05%
December 19th, 2024 (6 months ago)
|
![]() |
Description: In December 2024, the video sharing Community BitView suffered a data breach that exposed 63k customer records. Attributed to a backup taken by a previous administrator earlier in the year, the breach exposed email and IP addresses, bcrypt password hashes, usernames, bios, private messages, video comments and for some records, gender, date of birth and country of location.
December 19th, 2024 (6 months ago)
|
![]() |
Description: The draft of the long-awaited update to the NCIRP outlines the efforts, mechanisms, involved parties, and decisions the US government will use in response to a large-scale cyber incident.
December 19th, 2024 (6 months ago)
|
![]() |
Description: The number of DDoS-related incidents targeting APIs have jumped by 30x compared with traditional Web assets, suggesting that attackers see the growing API landscape as the more attractive target.
December 19th, 2024 (6 months ago)
|
CVE-2024-56319 |
Description: In Matter (aka connectedhomeip or Project CHIP) through 1.4.0.0 before e3277eb, unlimited user label appends in a userlabel cluster can lead to a denial of service (resource exhaustion).
EPSS Score: 0.05%
December 19th, 2024 (6 months ago)
|
CVE-2024-56175 |
Description: In Optimizely Configured Commerce before 5.2.2408, malicious payloads can be stored and subsequently executed in users' browsers under specific conditions: XSS from client-side template injection in list item names.
EPSS Score: 0.04%
December 19th, 2024 (6 months ago)
|
CVE-2024-56174 |
Description: In Optimizely Configured Commerce before 5.2.2408, malicious payloads can be stored and subsequently executed in users' browsers under specific conditions: XSS from client-side template injection in search history.
EPSS Score: 0.04%
December 19th, 2024 (6 months ago)
|
CVE-2024-56173 |
Description: In Optimizely Configured Commerce before 5.2.2408, malicious payloads can be stored and subsequently executed in users' browsers under specific conditions: XSS from JavaScript in an SVG document.
EPSS Score: 0.04%
December 19th, 2024 (6 months ago)
|
CVE-2024-56170 |
Description: A validation integrity issue was discovered in Fort through 1.6.4 before 2.0.0. RPKI manifests are listings of relevant files that clients are supposed to verify. Assuming everything else is correct, the most recent version of a manifest should be prioritized over other versions, to prevent replays, accidental or otherwise. Manifests contain the manifestNumber and thisUpdate fields, which can be used to gauge the relevance of a given manifest, when compared to other manifests. The former is a serial-like sequential number, and the latter is the date on which the manifest was created. However, the product does not compare the up-to-dateness of the most recently fetched manifest against the cached manifest. As such, it's prone to a rollback to a previous version if it's served a valid outdated manifest. This leads to outdated route origin validation.
EPSS Score: 0.04%
December 19th, 2024 (6 months ago)
|
CVE-2024-56169 |
Description: A validation integrity issue was discovered in Fort through 1.6.4 before 2.0.0. RPKI Relying Parties (such as Fort) are supposed to maintain a backup cache of the remote RPKI data. This can be employed as a fallback in case a new fetch fails or yields incorrect files. However, the product currently uses its cache merely as a bandwidth saving tool (because fetching is performed through deltas). If a fetch fails midway or yields incorrect files, there is no viable fallback. This leads to incomplete route origin validation data.
EPSS Score: 0.04%
December 19th, 2024 (6 months ago)
|