CVE-2024-36694 – OpenCart 4.0.2.3 contains a Server-Side Templat... (How to Fix)

Q: What is the severity of CVE-2024-36694?

CVE-2024-36694 has a CVSS score of 7.2 (HIGH). OpenCart 4.0.2.3 contains a Server-Side Template Injection vulnerability in the Theme Editor function that allows authenticated attackers to execute arbitrary code on the server. This affects OpenCart administrators with theme editing permissions. Successful exploitation could lead to complete system compromise.

📋 TL;DR

OpenCart 4.0.2.3 contains a Server-Side Template Injection vulnerability in the Theme Editor function that allows authenticated attackers to execute arbitrary code on the server. This affects OpenCart administrators with theme editing permissions. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:

OpenCart

Versions: 4.0.2.3 specifically

Operating Systems: All platforms running OpenCart

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin access to the theme editor functionality

📦 What is this software?

Opencart by Opencart

View all CVEs affecting Opencart →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full server takeover, data theft, and lateral movement within the network

🟠

Likely Case

Unauthorized file system access, data exfiltration, and backdoor installation

🟢

If Mitigated

Limited impact if proper access controls and input validation are implemented

🌐 Internet-Facing: HIGH - Web applications are directly accessible and the vulnerability requires only authenticated admin access

🏢 Internal Only: MEDIUM - Requires authenticated admin access which may be more controlled internally

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated admin access but is straightforward to execute

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to version 4.0.2.4 or later

Vendor Advisory: https://github.com/opencart/opencart/releases/tag/4.0.2.3

Restart Required: No

Instructions:

1. Backup your OpenCart installation and database. 2. Download the latest OpenCart version. 3. Replace affected files with patched versions. 4. Clear cache and verify functionality.

🔧 Temporary Workarounds

Disable Theme Editor

all

Remove or restrict access to the theme editor functionality

# Remove or rename the theme editor files
# Example: mv admin/controller/design/theme.php admin/controller/design/theme.php.disabled

Restrict Admin Access

all

Implement strict access controls and multi-factor authentication for admin accounts

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to OpenCart admin interface
Deploy web application firewall (WAF) with SSTI detection rules and monitor for suspicious template injection attempts

🔍 How to Verify

Check if Vulnerable:

Check if running OpenCart version 4.0.2.3 and verify theme editor functionality is accessible

Check Version:

Check OpenCart version in admin dashboard or examine system/config.php file

Verify Fix Applied:

Confirm OpenCart version is 4.0.2.4 or later and test theme editor for SSTI payloads

📡 Detection & Monitoring

Log Indicators:

Unusual theme editor access patterns
Suspicious template syntax in POST requests
Unexpected file creation/modification

Network Indicators:

POST requests to theme editor endpoints containing template injection payloads

SIEM Query:

source="web_logs" AND (uri="/admin/index.php?route=design/theme" OR uri="/admin/controller/design/theme") AND (payload CONTAINS "{{" OR payload CONTAINS "{%" OR payload CONTAINS "{#")

📊 Metadata

CVE ID: CVE-2024-36694

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: December 18, 2024

Last Updated: April 22, 2025

🔗 References

https://github.com/A3h1nt/CVEs/blob/main/OpenCart/Readme.md Exploit,Third Party Advisory
https://github.com/PawaritSanguanpang/CVEs/blob/main/OpenCart/CVE-2024-36694/README.md Exploit,Third Party Advisory
https://github.com/opencart/opencart/issues/13863 Issue Tracking,Vendor Advisory
https://github.com/opencart/opencart/releases/tag/4.0.2.3 Product
https://medium.com/@pawarit.sanguanpang/opencart-v4-0-2-3-server-side-template-injection-0b173a3bdcf9 Exploit,Third Party Advisory
https://medium.com/@pawarit.sanguanpang/opencart-v4-0-2-3-server-side-template-injection-0b173a3bdcf9 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36694, you might also want to check these: