CVE-2024-21514
📋 TL;DR
An SQL injection vulnerability in the Divido payment extension for OpenCart allows unauthenticated attackers to execute arbitrary SQL queries. This affects OpenCart installations with the Divido module installed (even if disabled), potentially exposing the entire database including customer PII. All OpenCart versions up to 3.0.3.9 are vulnerable.
💻 Affected Systems
- OpenCart
📦 What is this software?
Opencart by Opencart
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including customer PII, admin credentials, and financial data leading to data breach, account takeover, and potential regulatory penalties.
Likely Case
Unauthenticated attackers dump customer data, extract admin credentials, and potentially gain administrative access to the OpenCart backend.
If Mitigated
Limited impact with proper network segmentation, WAF rules blocking SQL injection patterns, and database access controls.
🎯 Exploit Status
SQL injection in catalog/model/extension/payment/divido.php at line 114. Public exploit code available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit 46bd5f5a8056ff9aad0aa7d71729c4cf593d67e2
Vendor Advisory: https://github.com/opencart/opencart/commit/46bd5f5a8056ff9aad0aa7d71729c4cf593d67e2
Restart Required: No
Instructions:
1. Update OpenCart to latest version. 2. Apply commit 46bd5f5a8056ff9aad0aa7d71729c4cf593d67e2. 3. Remove or disable Divido module if not needed.
🔧 Temporary Workarounds
Disable Divido Module
linuxCompletely remove the Divido payment module files
rm -rf upload/catalog/model/extension/payment/divido.php
rm -rf upload/admin/model/extension/payment/divido.php
WAF Rule Implementation
allAdd SQL injection blocking rules targeting Divido endpoints
🧯 If You Can't Patch
- Implement strict WAF rules blocking SQL injection patterns to /catalog/model/extension/payment/divido.php endpoints
- Network segment OpenCart instance and restrict database access to only necessary IPs
🔍 How to Verify
Check if Vulnerable:
Check if file upload/catalog/model/extension/payment/divido.php exists and contains vulnerable code at line 114 without proper input sanitizationCheck Version:
Check OpenCart version in admin panel or read VERSION.txt fileVerify Fix Applied:
Verify commit 46bd5f5a8056ff9aad0aa7d71729c4cf593d67e2 is applied and divido.php uses parameterized queries📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple requests to /catalog/model/extension/payment/divido.php with SQL patterns
- Large data extraction patterns
Network Indicators:
- POST requests to Divido endpoints containing SQL keywords (UNION, SELECT, INSERT)
SIEM Query:
source="web_logs" AND uri="/catalog/model/extension/payment/divido.php" AND (query CONTAINS "UNION" OR query CONTAINS "SELECT *" OR query CONTAINS "--")🔗 References
- https://github.com/opencart/opencart/blob/3.0.3.9/upload/catalog/model/extension/payment/divido.php%23L114
- https://github.com/opencart/opencart/commit/46bd5f5a8056ff9aad0aa7d71729c4cf593d67e2
- https://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7266565
- https://github.com/opencart/opencart/blob/3.0.3.9/upload/catalog/model/extension/payment/divido.php%23L114
- https://github.com/opencart/opencart/commit/46bd5f5a8056ff9aad0aa7d71729c4cf593d67e2
- https://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7266565
