CVE-2014-3990

Name of the Vulnerable Software and Affected Versions OpenCart versions 1.5.6.4 and earlier

Description The issue allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitrary code via a crafted serialized PHP object. This is related to the quantity parameter in an update request.

Recommendations For OpenCart versions 1.5.6.4 and earlier, as a temporary workaround, consider restricting access to the Cart::getProducts method until a patch is available. Avoid using the quantity parameter in update requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.