| Title | OpenCart 4.1.0.3 Path Traversal |
|---|
| Description | A Zip Slip vulnerability exists in the OpenCart extension installer for .ocmod.zip packages. During installation, ZIP entry names are used to build filesystem paths without properly rejecting traversal sequences such as ../ or validating that the resolved path remains داخل the intended extraction directory. An authenticated administrator who installs a crafted extension package can cause files to be written outside DIR_EXTENSION, resulting in arbitrary file write and possible remote code execution depending on the writable target path and server configuration |
|---|
| Source | ⚠️ https://drive.google.com/file/d/1YemSW2Tn0LKzY3mPosMzElQeHs8P3LMt/view?usp=sharing |
|---|
| User | hai271120 (UID 96497) |
|---|
| Submission | 03/16/2026 13:18 (21 days ago) |
|---|
| Moderation | 04/01/2026 15:50 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 354665 [OpenCart 4.1.0.3 Extension Installer Page installer.php path traversal] |
|---|
| Points | 20 |
|---|