CVE-2018-13067

Name of the Vulnerable Software and Affected Versions OpenCart versions 3.0.2.0 and earlier

Description The issue allows for a CSRF attack via the "index.php?route=account/password" URI, enabling an attacker to change a user's password. This is possible due to a vulnerability in the "/upload/catalog/controller/account/password.php" file.

Recommendations For OpenCart versions 3.0.2.0 and earlier, as a temporary workaround, consider restricting access to the "/upload/catalog/controller/account/password.php" file until a patch is available. Avoid using the "index.php?route=account/password" URI for password changes until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.