CVE-2021-47923 PUBLISHED

OpenCart 3.0.3.8 Session Fixation via OCSESSID Cookie

Assigner: VulnCheck
Reserved: 01.02.2026 Published: 10.05.2026 Updated: 10.05.2026

OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID cookie values that the server accepts and maintains, enabling session takeover and unauthorized access to user accounts.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor Opencart
Product opencart
Versions
  • Version 3.0.3.8 is affected

Credits

  • Hubert Wojciechowski finder

References

Problem Types

  • Authentication Bypass by Spoofing CWE