Gonzalo Aguilar García

**Name of the Vulnerable Software and Affected Versions** OpenCart versions prior to 4.1.0 **Description** The issue allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL using the search in the "/product/search" endpoint. This could be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. **Recommendations** For versions prior to 4.1.0, update to version 4.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/product/search" endpoint until a patch is available. Avoid using the search function in the "/product/search" endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenCart versions prior to 4.1.0 **Description** The issue allows an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in "/account/login" API endpoint. This could potentially lead to HTML injection attacks. **Recommendations** For versions prior to 4.1.0, update to version 4.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/account/login` API endpoint until a patch is available. Avoid using malicious or unverified parameter names in the `/account/login` endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenCart versions prior to 4.1.0 **Description** The issue allows an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the `parameter name` in the "/account/register" API endpoint. **Recommendations** For versions prior to 4.1.0, update to version 4.1.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OpenCart versions prior to 4.1.0 **Description** The issue allows an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the `parameter name` in the "/account/voucher" API endpoint. This could potentially lead to HTML injection attacks. **Recommendations** For versions prior to 4.1.0, update to version 4.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/account/voucher" API endpoint until the update is applied. Avoid using the vulnerable `parameter name` in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Soteshop versions prior to 8.3.4 **Description** A Cross-Site Scripting (XSS) issue exists, allowing remote attackers to execute arbitrary code via the `query` parameter in "/app-google-custom-search/searchResults". This can lead to the theft of sensitive user data, such as session cookies, or allow actions to be performed on behalf of the user. **Recommendations** For versions prior to 8.3.4, update to version 8.3.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/app-google-custom-search/searchResults" endpoint or sanitizing the `query` parameter to minimize the risk of exploitation.