CVE-2024-21518

Name of the Vulnerable Software and Affected Versions opencart/opencart versions 4.0.0.0 and later

Description A Zip Slip issue was identified via the marketplace installer due to improper sanitization of the target path, allowing files within a malicious archive to traverse the filesystem and be extracted to arbitrary locations. An attacker can create arbitrary files in the web root of the application and overwrite other existing files by exploiting this issue.

Recommendations For versions 4.0.0.0 and later, update the opencart/opencart package to a version that includes the fix for the Zip Slip vulnerability. As a temporary workaround, consider disabling the marketplace installer until a patch is available. Restrict access to the marketplace installer to minimize the risk of exploitation. Avoid using the marketplace installer to install packages from untrusted sources until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.