Unauthenticated SQL injection fixed in OpenCart product search

TL;DR — An unauthenticated SQL injection in OpenCart’s product search search parameter can let remote attackers extract sensitive database data via blind SQLi techniques.

What happened

OpenCart is a PHP-based open-source e-commerce platform used to run online stores, with built-in catalog browsing and product search.

CVE-2024-58341 reports an unauthenticated SQL injection in OpenCart Core where attackers can inject SQL through the product search search parameter and extract sensitive database information using boolean-based blind or time-based blind techniques. The CVE record includes a reference to a public exploit entry on Exploit-DB.

Severity is High (CVSS v4.0 base score 8.8; CVSS v3.1 base score 8.2). Unauthenticated SQL injection in storefront-facing endpoints is a repeatable, high-leverage failure mode for e-commerce stacks because it puts customer data and administrative accounts at direct risk from internet-scale probing.

Who is impacted

• Internet-exposed OpenCart deployments where the product search endpoint is reachable.
• Projects running affected OpenCart Core versions per the CVE record.

What to do now

• Follow vendor remediation guidance and update OpenCart to a release listed as unaffected in the CVE record (or a newer patched release available at the time of writing).
• Identify and inventory all OpenCart instances (including container images and immutable deployments) and confirm which environments expose the product search endpoint.
• Treat potential exposure as data-risk: review web request logs for anomalous search traffic patterns (e.g., high-rate search requests, SQLi timing payload behavior) and investigate unexpected database reads.
• Reduce exposure while patching: limit access to storefront/admin surfaces where feasible and ensure monitoring/alerting is in place for database query anomalies and error-rate spikes.