Cyber Resilience

CVE-2024-21514

HighPublic PoC

Published: 22 June 2024

Published
22 June 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.6604 98.5th percentile
Risk Priority 54 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21514 is a high-severity SQL Injection (CWE-89) vulnerability in Opencart Opencart. Its CVSS base score is 7.4 (High).

Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-21514 is an SQL injection vulnerability (CWE-89) in the Divido payment extension bundled with OpenCart. It affects all versions of the opencart/opencart package from 0.0.0 onward and is present by default in version 3.0.3.9. The flaw resides in the extension's handling of unsanitized input, specifically in catalog/model/extension/payment/divido.php.

An unauthenticated remote attacker can trigger the injection whenever the Divido module is installed, even if it remains disabled. Exploitation grants direct access to the backend database, enabling an attacker to extract the full contents, including customer PII, or to perform other unauthorized database operations.

Public references point to a corrective commit (46bd5f5a8056ff9aad0aa7d71729c4cf593d67e2) that patches the vulnerable query construction. The current EPSS score of 0.6604 has shown no material post-disclosure rise from a lower baseline.

EU & UK References

Vulnerability details

This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module…

more

is installed (it does not have to be enabled), it is possible to exploit SQL injection to gain unauthorised access to the backend database. For any site which is vulnerable, any unauthenticated user could exploit this to dump the entire OpenCart database, including customer PII data.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

opencart
opencart
3.0.3.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References