CVE-2021-47923
Session Fixation in OpenCart 3.0.3.8
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opencart | opencart | to 3.0.3.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in OpenCart 3.0.3.8 allows attackers to hijack user sessions and gain unauthorized access to user accounts by manipulating the OCSESSID cookie. Such unauthorized access to user accounts can lead to exposure of personal and sensitive data.
This type of security flaw can negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require protection of user data and prevention of unauthorized access. Failure to mitigate this vulnerability could result in violations of these regulations due to compromised confidentiality and integrity of user information.
Can you explain this vulnerability to me?
CVE-2021-47923 is a session fixation vulnerability in OpenCart version 3.0.3.8. It allows attackers to hijack user sessions by manipulating the OCSESSID cookie. Specifically, an attacker can inject arbitrary values into this cookie, and the server will accept and maintain these malicious values as valid session identifiers.
This means the attacker can fixate a session ID and force a user to use it, or inject malicious session data, enabling session takeover and unauthorized access to user accounts.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to user accounts by allowing attackers to hijack active sessions. Attackers can manipulate the OCSESSID cookie to take over sessions, potentially gaining access to sensitive user information and performing actions on behalf of the victim.
Such session hijacking can compromise the confidentiality and integrity of user data and transactions within the affected OpenCart installation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests and responses for manipulation of the OCSESSID cookie. Specifically, you can check if the server accepts and sets arbitrary values for the OCSESSID cookie sent by clients.
A practical approach is to capture HTTP traffic using tools like curl or browser developer tools to send requests with a custom OCSESSID cookie value and observe if the server responds by setting the same manipulated cookie value.
- Use curl to send a request with a custom OCSESSID cookie: curl -v --cookie "OCSESSID=maliciousvalue" http://target-opencart-site/
- Check the response headers for Set-Cookie: OCSESSID=maliciousvalue indicating the server accepted the injected session ID.
- Alternatively, use a proxy tool like Burp Suite or OWASP ZAP to intercept and modify the OCSESSID cookie in requests and observe server behavior.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing attackers from injecting arbitrary OCSESSID cookie values and protecting user sessions from fixation.
- Upgrade OpenCart to a version later than 3.0.3.8 where this vulnerability is fixed.
- If upgrading is not immediately possible, implement server-side validation to reject or regenerate session IDs if an unrecognized or manipulated OCSESSID cookie is detected.
- Configure the web server or application to set the HttpOnly and Secure flags on session cookies to reduce the risk of cookie theft.
- Monitor logs for suspicious session activity and consider invalidating sessions that appear to be fixed or hijacked.