OpenCart Server-Side Template Injection Vulnerability in Template Editor

A server-side template injection vulnerability has been identified in OpenCart version 4.0.2.3. This issue arises in the template editor functionality, specifically within the 'Save' function of the file 'admin/controller/design/template.php'. The vulnerability is a regression of CVE-2024-36694, which previously identified a similar issue in the theme editor of the same OpenCart version. Although the codebase was refactored to address the vulnerability, the core issue remains unremediated. The 'Save' method still accepts user-supplied Twig template code via POST input and stores it directly in the database without any sanitization or validation. As a result, when the modified template is rendered on the frontend, the injected code executes server-side. An authenticated administrator can exploit this vulnerability to achieve remote code execution as the web server user, potentially including reverse shell access.

Impact

Exploitation of this vulnerability allows for server-side template injection, leading to remote code execution on the server as the web server user.

Reproduction

To reproduce this vulnerability, an authenticated administrator can navigate to the template editor in OpenCart 4.0.2.3. Once there, the 'Save' function can be used to upload a Twig template that includes malicious code. The injected code will be executed when the modified template is rendered on the frontend.