CVE-2021-47923 | OpenCart 3.0.3.8 contains a session fixation vulnerability t… | CVSS 9.8 CRITICAL

Description

OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID cookie values that the server accepts and maintains, enabling session takeover and unauthorized access to user accounts.

Metadata

CVE ID: CVE-2021-47923
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-02-01 11:24 UTC
Published: 2026-05-10 12:43 UTC
Last updated: 2026-05-11 15:14 UTC
Primary CWE: CWE-290
Authentication Bypass by Spoofing
Vendor / Product: Opencart / opencart
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Opencart	opencart	—	3.0.3.8

Weakness (CWE)

CWE	Source	Description
CWE-290	cna	Authentication Bypass by Spoofing

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (3)

ExploitDB-50555 https://www.exploit-db.com/exploits/50555
Official Product Homepage https://www.opencart.com/
VulnCheck Advisory: OpenCart 3.0.3.8 Session Fixation via OCSESSID Cookie https://www.vulncheck.com/advisories/opencart-session-fixation-via-ocsessid-cookie