CVE-2024-21514
Published: 22 June 2024
Summary
CVE-2024-21514 is a high-severity SQL Injection (CWE-89) vulnerability in Opencart Opencart. Its CVSS base score is 7.4 (High).
Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-21514 is an SQL injection vulnerability (CWE-89) in the Divido payment extension bundled with OpenCart. It affects all versions of the opencart/opencart package from 0.0.0 onward and is present by default in version 3.0.3.9. The flaw resides in the extension's handling of unsanitized input, specifically in catalog/model/extension/payment/divido.php.
An unauthenticated remote attacker can trigger the injection whenever the Divido module is installed, even if it remains disabled. Exploitation grants direct access to the backend database, enabling an attacker to extract the full contents, including customer PII, or to perform other unauthorized database operations.
Public references point to a corrective commit (46bd5f5a8056ff9aad0aa7d71729c4cf593d67e2) that patches the vulnerable query construction. The current EPSS score of 0.6604 has shown no material post-disclosure rise from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1960
Vulnerability details
This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module…
more
is installed (it does not have to be enabled), it is possible to exploit SQL injection to gain unauthorised access to the backend database. For any site which is vulnerable, any unauthenticated user could exploit this to dump the entire OpenCart database, including customer PII data.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.