CVE-2020-13980

Name of the Vulnerable Software and Affected Versions OpenCart version 3.0.3.3

Description The issue allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload section because of a lack of entity encoding. This problem exists due to an incomplete fix for a previous issue. The vendor notes that this is not a significant issue since it requires being logged into the admin section.

Recommendations For OpenCart version 3.0.3.3, consider temporarily restricting access to the image upload section for users until a proper fix is applied to prevent XSS attacks. As a mitigation measure, ensure that all filenames are properly sanitized and entity encoded to prevent malicious input.