CVE-2021-47928

Name of the Vulnerable Software and Affected Versions Opencart TMD Vendor System versions 3.x

Description A blind SQL injection allows unauthenticated attackers to extract database information. By injecting SQL code through the product id parameter, attackers can use time-based or content-based blind injection techniques to enumerate usernames, emails, and password reset codes from the oc user table. Blind SQL injection is a technique where the attacker asks the database true/false questions and determines the answer based on the application's response or the time it takes to respond.

Recommendations Update Opencart TMD Vendor System versions 3.x to the patched version. As a temporary workaround, restrict or sanitize input for the product id parameter to minimize the risk of exploitation.