Description
** DISPUTED ** OpenCart 3.0.3.3 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload section because of a lack of entity encoding. NOTE: this issue exists because of an incomplete fix for CVE-2020-10596. The vendor states "this is not a massive issue as you are still required to be logged into the admin."
Remediation
References
Related Vulnerabilities
PHP Other Vulnerability (CVE-2007-4528)
WordPress Plugin Image Slider-Responsive Slider Unspecified Vulnerability (2.4.2)
Undertow Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2020-1745)
phpMyAdmin 7PK - Security Features Vulnerability (CVE-2016-6626)
WordPress Plugin YAWPP (Yet Another WordPress Petition Plugin) SQL Injection (1.2)