{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-58341", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-14T21:24:47.537Z", "datePublished": "2026-03-25T16:04:35.565Z", "dateUpdated": "2026-03-25T20:04:45.707Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-25T16:15:03.824Z"}, "title": "OpenCart Core 4.0.2.3 SQL Injection via search Parameter", "datePublic": "2024-04-02T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "affected": [{"vendor": "Opencart", "product": "OpenCart Core", "versions": [{"status": "affected", "version": "4.0.2.3", "versionType": "semver"}, {"status": "unaffected", "version": "4.1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opencart:opencart_core:4.0.2.3:*:*:*:*:*:*:*"}, {"vulnerable": false, "criteria": "cpe:2.3:a:opencart:opencart_core:4.1.0.0:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en", "value": "OpenCart Core 4.0.2.3 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'search' parameter. Attackers can send GET requests to the product search endpoint with malicious 'search' values to extract sensitive database information using boolean-based blind or time-based blind SQL injection techniques.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>OpenCart Core 4.0.2.3 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'search' parameter. Attackers can send GET requests to the product search endpoint with malicious 'search' values to extract sensitive database information using boolean-based blind or time-based blind SQL injection techniques.</p>"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/51940", "name": "ExploitDB-51940", "tags": ["exploit"]}, {"url": "https://www.opencart.com/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://github.com/opencart/opencart/releases", "name": "Product Reference", "tags": ["product", "patch"]}, {"url": "https://www.vulncheck.com/advisories/opencart-core-sql-injection-via-search-parameter", "name": "VulnCheck Advisory: OpenCart Core 4.0.2.3 SQL Injection via search Parameter", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"}}], "credits": [{"lang": "en", "value": "Saud Alenazi", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:04:36.627650Z", "id": "CVE-2024-58341", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:04:45.707Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-58341", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:04:36.627650Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:04:41.316Z"}}], "cna": {"title": "OpenCart Core 4.0.2.3 SQL Injection via search Parameter", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Saud Alenazi"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Opencart", "product": "OpenCart Core", "versions": [{"status": "affected", "version": "4.0.2.3", "versionType": "semver"}, {"status": "unaffected", "version": "4.1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2024-04-02T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/51940", "name": "ExploitDB-51940", "tags": ["exploit"]}, {"url": "https://www.opencart.com/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://github.com/opencart/opencart/releases", "name": "Product Reference", "tags": ["product", "patch"]}, {"url": "https://www.vulncheck.com/advisories/opencart-core-sql-injection-via-search-parameter", "name": "VulnCheck Advisory: OpenCart Core 4.0.2.3 SQL Injection via search Parameter", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "OpenCart Core 4.0.2.3 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'search' parameter. Attackers can send GET requests to the product search endpoint with malicious 'search' values to extract sensitive database information using boolean-based blind or time-based blind SQL injection techniques.", "supportingMedia": [{"type": "text/html", "value": "<p>OpenCart Core 4.0.2.3 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'search' parameter. Attackers can send GET requests to the product search endpoint with malicious 'search' values to extract sensitive database information using boolean-based blind or time-based blind SQL injection techniques.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opencart:opencart_core:4.0.2.3:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:opencart:opencart_core:4.1.0.0:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-25T16:15:03.824Z"}}}, "cveMetadata": {"cveId": "CVE-2024-58341", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:04:45.707Z", "dateReserved": "2026-03-14T21:24:47.537Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-25T16:04:35.565Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenCart Core 4.0.2.3 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'search' parameter. Attackers can send GET requests to the product search endpoint with malicious 'search' values to extract sensitive database information using boolean-based blind or time-based blind SQL injection techniques."}], "id": "CVE-2024-58341", "lastModified": "2026-03-25T16:16:07.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-25T16:16:07.400", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/opencart/opencart/releases"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/51940"}, {"source": "disclosure@vulncheck.com", "url": "https://www.opencart.com/"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/opencart-core-sql-injection-via-search-parameter"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T17:29:21.379963+00:00", "value": {"mitigation_remediation": ["Upgrade OpenCart Core to version 4.1.0.0 or newer to eliminate the vulnerable code.", "If an upgrade is not immediately possible, disable or restrict the product search functionality to prevent the 'search' parameter from being used.", "Ensure the database user used by OpenCart has only the necessary permissions, limiting damage if injection occurs.", "Deploy a web application firewall or adjust security rules to block suspicious SQL injection patterns targeting the search parameter.", "Monitor web server logs for abnormal search queries that might indicate exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Confidentiality Breach (SQL Injection)"}, "threat_synthesis": {"affected_systems": "The affected product is OpenCart Core, specifically versions 4.0.2.3 and 4.1.0.0 as identified by the CNA. The vulnerability exists in the core code responsible for handling search queries and affects all installations running these versions without the provided patch.", "description_and_impact": "OpenCart Core 4.0.2.3 contains a vulnerability that allows unauthenticated attackers to inject arbitrary SQL code via the publicly exposed 'search' parameter on the product search endpoint. This flaw is an instance of a classic SQL injection (CWE\u201189) and can be leveraged using boolean\u2011based blind or time\u2011based techniques to extract sensitive database content, potentially exposing customer data, order details, or administrative credentials.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity, and while an EPSS score is not provided, the flaw is publicly known and not listed in CISA's KEV catalog. The likely attack vector is an unauthenticated HTTP GET request to the product search endpoint, which is typically accessible to all visitors. An attacker can easily craft malicious queries and use blind techniques to glean database information, meaning the risk of exploitation is significant, especially for publicly exposed storefronts."}}}}, "created": "2026-03-25T21:30:54.615610+00:00", "updated": "2026-03-25T21:30:54.615632+00:00", "vendors": []}