CVE-2021-47953
Received Received - Intake

Cross-Site Request Forgery in OpenCart Password Change

Vulnerability report for CVE-2021-47953, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-10

Last updated on: 2026-05-10

Assigner: VulnCheck

Description

OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick authenticated users into submitting hidden forms with new password values in the 'password' and 'confirm' parameters to hijack accounts.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-10
Last Modified
2026-05-10
Generated
2026-07-11
AI Q&A
2026-05-10
EPSS Evaluated
2026-07-10
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
opencart opencart 3.0.3.7

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2021-47953 is a Cross-Site Request Forgery (CSRF) vulnerability in OpenCart 3.0.3.7 that allows attackers to change user passwords by sending crafted requests to the account/password endpoint.

Attackers exploit this flaw by tricking authenticated users into submitting hidden forms containing new password values in the 'password' and 'confirm' parameters, effectively hijacking user accounts without their consent.

This vulnerability exists because OpenCart does not implement security tokens to prevent CSRF attacks, allowing unauthorized actions to be performed within an active user session.

Compliance Impact

The vulnerability allows attackers to hijack user accounts by changing passwords without user consent through a Cross-Site Request Forgery (CSRF) attack.

Such unauthorized account access can lead to unauthorized data access or manipulation, which may result in violations of data protection regulations like GDPR or HIPAA that require safeguarding user data and ensuring user consent for changes.

Therefore, this vulnerability could negatively impact compliance with these standards by exposing user accounts to hijacking and potential data breaches.

Impact Analysis

This vulnerability can lead to account hijacking by allowing attackers to change user passwords without authorization.

If exploited, attackers can gain control over user accounts, potentially leading to unauthorized access to personal information, disruption of user activities, and loss of trust in the affected platform.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the account/password endpoint that include the 'password' and 'confirm' parameters. Since the exploit involves Cross-Site Request Forgery (CSRF), look for unexpected or unauthorized password change requests originating from authenticated user sessions.

You can use network monitoring tools or web server logs to identify such requests. For example, using command-line tools like curl or tcpdump to capture and analyze HTTP POST requests to the vulnerable endpoint may help detect exploitation attempts.

  • Use curl to simulate or detect suspicious POST requests: curl -X POST -d "password=newpass&confirm=newpass" https://your-opencart-site/account/password
  • Use tcpdump or Wireshark to capture HTTP traffic and filter for POST requests to /account/password.
  • Check web server access logs for POST requests to /account/password with parameters 'password' and 'confirm'.
Mitigation Strategies

Immediate mitigation steps include implementing CSRF protection mechanisms such as security tokens (CSRF tokens) in forms that handle sensitive actions like password changes.

Additionally, restrict or validate requests to the account/password endpoint to ensure they originate from legitimate sources and authenticated users.

If possible, update OpenCart to a version that patches this vulnerability or apply available security patches.

Educate users to avoid clicking on suspicious links and consider monitoring for unusual password change activities.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47953. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart