CVE-2021-47946 - Vulnerability Details

OpenCart 3.0.36 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiting malicious pages. Attackers can craft CSRF payloads that change victim email addresses and account information, then use password reset functionality to gain unauthorized access to compromised accounts.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Opencart	Opencart

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Opencart	Opencart

References

Link	Providers
https://www.exploit-db.com/exploits/49407
https://www.opencart.com
https://www.opencart.com/index.php?route=cms/download
https://www.vulncheck.com/advisories/opencart-account-takeover-via-cross-site-request-forgery

History

Sun, 10 May 2026 13:00:00 +0000

Type	Values Removed	Values Added
Description		OpenCart 3.0.36 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiting malicious pages. Attackers can craft CSRF payloads that change victim email addresses and account information, then use password reset functionality to gain unauthorized access to compromised accounts.
Title		OpenCart 3.0.36 Account Takeover via Cross Site Request Forgery
First Time appeared		Opencart Opencart opencart
Weaknesses		CWE-352
CPEs		cpe:2.3:a:opencart:opencart:3.0.3.6:::::::*
Vendors & Products		Opencart Opencart opencart
References		https://www.exploit-db.com/exploits/49407 https://www.opencart.com https://www.opencart.com/index.php?route=cms/download https://www.vulncheck.com/advisories/opencart-account-takeover-via-cross-site-request-forgery
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}`

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-05-10T12:44:02.503Z

Updated: 2026-05-10T12:44:02.503Z

Reserved: 2026-02-01T11:24:18.718Z

Link: CVE-2021-47946

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-10T13:16:31.027

Modified: 2026-05-10T13:16:31.027

Link: CVE-2021-47946

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-10T15:30:14Z

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object