CVE-2021-47946

Published: Mag 10, 2026 Last Modified: Mag 10, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 6,9

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

MEDIUM 5,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: low

Availability: none

Description

AI Translation Available

OpenCart 3.0.36 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiting malicious pages. Attackers can craft CSRF payloads that change victim email addresses and account information, then use password reset functionality to gain unauthorized access to compromised accounts.

352

Cross-Site Request Forgery (CSRF)

Stable

Abstraction: Compound Structure: Composite

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability Non-Repudiation Access Control

Potential Impacts:

Gain Privileges Or Assume Identity Bypass Protection Mechanism Read Application Data Modify Application Data Dos: Crash, Exit, Or Restart

Applicable Platforms

Technologies: Web Based, Web Server

Likelihood of Exploit: Medium

View CWE Details

https://www.exploit-db.com/exploits/49407

https://www.exploit-db.com/exploits/49407

https://www.opencart.com

https://www.opencart.com

https://www.opencart.com/index.php?route=cms/download

https://www.opencart.com/index.php?route=cms/download

https://www.vulncheck.com/advisories/opencart-account-takeo…

https://www.vulncheck.com/advisories/opencart-account-takeover-via-cross-site-r…