CVE-2021-47928

Received Received - Intake

Blind SQL Injection in Opencart TMD Vendor System 3.x

Publication date: 2026-05-10

Last updated on: 2026-05-10

Assigner: VulnCheck

Description

Opencart TMD Vendor System 3.x contains a blind SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the product_id parameter. Attackers can craft malicious SQL queries using time-based or content-based blind injection techniques to enumerate usernames, emails, and password reset codes from the oc_user table.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-10

Last Modified

2026-05-10

Generated

2026-06-21

AI Q&A

2026-05-10

EPSS Evaluated

2026-06-20

NVD

CVE-2021-47928

EUVD

EUVD-2021-34790

Affected Vendors & Products

Vendor	Product	Version / Range
tmd	opencart	3.x
tmd	opencart_multi-vendor_marketplace	to 3.x (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive user information stored in the database, including usernames, emails, and password reset codes.

Such unauthorized data extraction can result in compromised user accounts, data breaches, and potential further exploitation of the system.

Executive Summary

CVE-2021-47928 is a blind SQL injection vulnerability found in the Opencart TMD Vendor System 3.x. It allows unauthenticated attackers to inject malicious SQL code through the product_id parameter.

Attackers can use time-based or content-based blind SQL injection techniques to extract sensitive information from the database, such as usernames, emails, and password reset codes from the oc_user table.

Detection Guidance

This vulnerability can be detected by testing the product_id parameter for blind SQL injection using time-based or content-based techniques. Attackers exploit this parameter to extract sensitive data from the database.

Common detection methods include sending specially crafted SQL payloads to the product_id parameter and observing response delays or differences in content to confirm injection points.

Use curl or similar tools to send payloads that cause time delays, for example: curl 'http://targetsite.com/product?product_id=1 AND IF(SUBSTRING((SELECT user()),1,1)='a',SLEEP(5),0)'
Use automated SQL injection detection tools like sqlmap targeting the product_id parameter to verify vulnerability: sqlmap -u "http://targetsite.com/product?product_id=1" --technique=T --dbs

Mitigation Strategies

Immediate mitigation steps include applying patches or updates provided by the vendor for the TMD Vendor System 3.x extension.

If patches are not available, restrict access to the vulnerable endpoints, especially the product_id parameter, by implementing web application firewall (WAF) rules to block suspicious SQL injection payloads.

Validate and sanitize all user inputs on the server side to prevent SQL injection attacks.

Monitor logs for unusual database query patterns or repeated failed attempts to exploit the product_id parameter.

Compliance Impact

CVE-2021-47928 allows unauthenticated attackers to extract sensitive user information such as usernames, emails, and password reset codes from the database via blind SQL injection.

This unauthorized access to personal data can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding user information against unauthorized disclosure.

Exploitation of this vulnerability could result in data breaches, compromising confidentiality and potentially leading to non-compliance with these standards.

Hi! I’m here to help you understand CVE-2021-47928. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2021-47928

Blind SQL Injection in Opencart TMD Vendor System 3.x

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart