Description
** DISPUTED ** OpenCart 3.0.3.3 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload section because of a lack of entity encoding. NOTE: this issue exists because of an incomplete fix for CVE-2020-10596. The vendor states "this is not a massive issue as you are still required to be logged into the admin."
Remediation
References
Related Vulnerabilities
WordPress Plugin Contact Form 7 Database Information Disclosure (1.3)
Moodle 7PK - Security Features Vulnerability (CVE-2015-5267)
WordPress Plugin Appointment Booking Calendar CSV Injection (1.3.34)
WordPress Plugin IGIT Posts Slider Widget 'src' Parameter Cross-Site Scripting (1.0)
Oracle Database Server CVE-2020-2527 Vulnerability (CVE-2020-2527)