Joomla jCart for OpenCart Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in the Joomla jCart extension for OpenCart, specifically in version 2.3.0.2. This vulnerability allows attackers to modify user account information without authentication. By crafting malicious HTML forms that target specific endpoints, attackers can change user credentials, passwords, and affiliate account details when victims visit the compromised page.

Impact

Exploitation of this vulnerability allows for unauthorized modification of user account information, including credentials and affiliate details.

Reproduction

To exploit this vulnerability, an attacker can create a malicious HTML form that includes the desired changes to user account information, such as the first name, last name, email, telephone, or password. This form should be set to submit to the appropriate jCart account management endpoint. When the victim visits the attacker-controlled page, the form will be submitted automatically, applying the changes without authentication.