Primary

Context

OpenCart Session Fixation Vulnerability in OCSESSID Cookie

Vulnerability

A session fixation vulnerability has been identified in OpenCart version 3.0.3.8. This vulnerability allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. The server accepts and maintains these malicious cookie values, enabling session takeover and unauthorized access to user accounts.

Impact

Exploitation of this vulnerability allows for session hijacking, enabling attackers to take over user accounts.

Reproduction

To reproduce this vulnerability, set a custom value for the OCSESSID cookie. The server will accept this value, allowing for session fixation. This can be done using a web browser or a tool that modifies cookie values before sending a request to the server.

Added: May 10, 2026, 1:43 PM

Updated: May 10, 2026, 1:43 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

1.3

exploitability

9.7

remediation

0.0

relevance

7.9

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

1.3

exploitability

9.7

remediation

0.0

relevance

7.9

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenCart Session Fixation Vulnerability in OCSESSID Cookie

Vulnerability

Impact

Reproduction

Affected Products

OpenCart

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating