PT-2024-18927 · Unknown+1 · Divido Payment Extension+1
Calum Hutton
·
Published
2024-06-21
·
Updated
2025-08-14
·
CVE-2024-21514
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
opencart/opencart versions 0.0.0 through 3.0.3.9
Description
An SQL Injection issue was identified in the Divido payment extension for OpenCart. As an anonymous unauthenticated user, if the Divido payment module is installed, it is possible to exploit SQL injection to gain unauthorized access to the backend database. This could allow any unauthenticated user to dump the entire OpenCart database, including customer PII data.
Recommendations
For versions 0.0.0 through 3.0.3.9, update the Divido payment extension to a version that includes the fix for the SQL Injection issue.
As a temporary workaround, consider disabling the Divido payment module until a patch is available.
Restrict access to the backend database to minimize the risk of exploitation.
Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Divido Payment Extension
Opencart