CVE-2021-47946
Cross-Site Request Forgery in OpenCart 3.0.36
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opencart | opencart | 3.0.36 |
| opencart | opencart | to 3.0.36 (inc) |
| opencart | opencart | 4.1.0.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47946 is a Cross-Site Request Forgery (CSRF) vulnerability found in OpenCart version 3.0.36, specifically in the /account/edit endpoint.
This vulnerability allows unauthenticated attackers to trick users into visiting malicious pages that contain crafted CSRF payloads. These payloads can modify the victim's account details, such as changing their email address and other account information.
After modifying the account details, attackers can then use the password reset functionality to gain unauthorized access to the compromised accounts.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized account takeover by attackers without requiring authentication.
Attackers can change victim account details, including email addresses, which can then be used to reset passwords and gain full access to the victim's account.
Such unauthorized access can result in loss of personal data, unauthorized transactions, or misuse of the victim's account.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability in OpenCart 3.0.36 allows unauthenticated attackers to modify victim account details via the /account/edit endpoint by tricking users into visiting malicious pages.
Immediate mitigation steps include preventing users from visiting untrusted or suspicious links that could contain CSRF payloads.
Additionally, monitoring and restricting access to the /account/edit endpoint, applying any available patches or updates from OpenCart, and reviewing password reset processes to ensure they are secure can help reduce risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to take over user accounts by changing account details and resetting passwords without user consent. This unauthorized access to user accounts can lead to exposure or misuse of personal and sensitive information.
Such unauthorized access and potential data breaches could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data and ensuring user consent for data modifications.
However, the provided information does not explicitly discuss the direct impact on compliance with these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Cross-Site Request Forgery (CSRF) attacks targeting the /account/edit endpoint in OpenCart 3.0.36 and below. Detection typically involves monitoring for unusual POST requests to the /account/edit endpoint that change account details without proper authentication.
Since the vulnerability exploits CSRF, network detection can focus on identifying suspicious HTTP POST requests to /account/edit from unauthenticated sources or unusual changes in account email addresses.
Specific commands or tools to detect this vulnerability are not provided in the available resources.