CVE-2025-1747

Name of the Vulnerable Software and Affected Versions OpenCart versions prior to 4.1.0

Description The issue allows an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in "/account/login" API endpoint. This could potentially lead to HTML injection attacks.

Recommendations For versions prior to 4.1.0, update to version 4.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the /account/login API endpoint until a patch is available. Avoid using malicious or unverified parameter names in the /account/login endpoint to minimize the risk of exploitation.