CVE-2024-21516 – This is a reflected Cross-Site Scripting (XSS) ... (How to Fix)

Q: What is the severity of CVE-2024-21516?

CVE-2024-21516 has a CVSS score of 4.2 (MEDIUM). This is a reflected Cross-Site Scripting (XSS) vulnerability in OpenCart's admin file manager that allows attackers to steal admin session tokens via malicious URLs. It affects OpenCart versions 4.0.0.0 through 4.1.0.0. Attackers can chain this with other vulnerabilities for more severe attacks if they know the admin directory path.

📋 TL;DR

This is a reflected Cross-Site Scripting (XSS) vulnerability in OpenCart's admin file manager that allows attackers to steal admin session tokens via malicious URLs. It affects OpenCart versions 4.0.0.0 through 4.1.0.0. Attackers can chain this with other vulnerabilities for more severe attacks if they know the admin directory path.

💻 Affected Systems

Products:

OpenCart

Versions: 4.0.0.0 to 4.1.0.0 (excluding 4.1.0.0)

Operating Systems: All platforms running OpenCart

Default Config Vulnerable: ⚠️ Yes

Notes: Default admin directory name is 'admin'. Users are warned to rename it via dashboard pop-up.

📦 What is this software?

Opencart by Opencart

View all CVEs affecting Opencart →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Admin account compromise leading to arbitrary file write, Zip Slip exploitation, and complete system takeover through chained vulnerabilities.

🟠

Likely Case

Session token theft leading to unauthorized admin access and potential data manipulation.

🟢

If Mitigated

Limited to reflected XSS with no admin access if proper directory renaming and authentication controls are in place.

🌐 Internet-Facing: MEDIUM - Requires knowledge of admin directory path and user interaction, but admin panels are often internet-facing.

🏢 Internal Only: LOW - Internal-only deployments reduce exposure, but still vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (clicking malicious link) and knowledge of admin directory path. The fix is incomplete - still exploitable if admin is already authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.0.0

Vendor Advisory: https://github.com/opencart/opencart/commit/c546199e8f100c1f3797a7a9d3cf4db1887399a2

Restart Required: No

Instructions:

1. Upgrade to OpenCart 4.1.0.0 or later. 2. Apply commit c546199e8f100c1f3797a7a9d3cf4db1887399a2 if manual patching. 3. Clear caches and test admin functionality.

🔧 Temporary Workarounds

Rename Admin Directory

all

Change default 'admin' directory name to obscure value to prevent path discovery.

mv /path/to/opencart/admin /path/to/opencart/[new_name]
Update config.php files with new path

Restrict Admin Access

all

Limit admin panel access to specific IP addresses or VPN-only connections.

# Apache: Require ip 192.168.1.0/24
# Nginx: allow 192.168.1.0/24; deny all;

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to prevent XSS execution.
Deploy Web Application Firewall (WAF) with XSS protection rules.

🔍 How to Verify

Check if Vulnerable:

Check OpenCart version in admin dashboard or system/info. If version is between 4.0.0.0 and 4.1.0.0, system is vulnerable.

Check Version:

php -r "include 'config.php'; echo VERSION;" or check admin dashboard

Verify Fix Applied:

Verify version is 4.1.0.0 or later. Test admin/common/filemanager.list endpoint with XSS payloads to confirm sanitization.

📡 Detection & Monitoring

Log Indicators:

Unusual GET requests to admin/common/filemanager.list with directory parameter containing script tags or JavaScript
Multiple failed admin login attempts followed by successful login from different IP

Network Indicators:

HTTP requests with suspicious parameters in directory field
Unexpected redirects after admin authentication

SIEM Query:

source="web_logs" AND uri="/admin/common/filemanager.list" AND query="*directory=*<script>*"

📊 Metadata

CVE ID: CVE-2024-21516

CVSS v3 Score: 4.2 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-79

Published: June 22, 2024

Last Updated: January 14, 2025

🔗 References

https://github.com/opencart/opencart/commit/c546199e8f100c1f3797a7a9d3cf4db1887399a2 Patch
https://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7266576 Exploit,Patch,Third Party Advisory
https://github.com/opencart/opencart/commit/c546199e8f100c1f3797a7a9d3cf4db1887399a2 Patch
https://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7266576 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21516, you might also want to check these: