CVE-2021-47928
Blind SQL Injection in Opencart TMD Vendor System 3.x
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tmd | opencart | 3.x |
| tmd | opencart_multi-vendor_marketplace | to 3.x (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47928 is a blind SQL injection vulnerability found in the Opencart TMD Vendor System 3.x. It allows unauthenticated attackers to inject malicious SQL code through the product_id parameter.
Attackers can use time-based or content-based blind SQL injection techniques to extract sensitive information from the database, such as usernames, emails, and password reset codes from the oc_user table.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the product_id parameter for blind SQL injection using time-based or content-based techniques. Attackers exploit this parameter to extract sensitive data from the database.
Common detection methods include sending specially crafted SQL payloads to the product_id parameter and observing response delays or differences in content to confirm injection points.
- Use curl or similar tools to send payloads that cause time delays, for example: curl 'http://targetsite.com/product?product_id=1 AND IF(SUBSTRING((SELECT user()),1,1)='a',SLEEP(5),0)'
- Use automated SQL injection detection tools like sqlmap targeting the product_id parameter to verify vulnerability: sqlmap -u "http://targetsite.com/product?product_id=1" --technique=T --dbs
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2021-47928 allows unauthenticated attackers to extract sensitive user information such as usernames, emails, and password reset codes from the database via blind SQL injection.
This unauthorized access to personal data can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding user information against unauthorized disclosure.
Exploitation of this vulnerability could result in data breaches, compromising confidentiality and potentially leading to non-compliance with these standards.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying patches or updates provided by the vendor for the TMD Vendor System 3.x extension.
If patches are not available, restrict access to the vulnerable endpoints, especially the product_id parameter, by implementing web application firewall (WAF) rules to block suspicious SQL injection payloads.
Validate and sanitize all user inputs on the server side to prevent SQL injection attacks.
Monitor logs for unusual database query patterns or repeated failed attempts to exploit the product_id parameter.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive user information stored in the database, including usernames, emails, and password reset codes.
Such unauthorized data extraction can result in compromised user accounts, data breaches, and potential further exploitation of the system.