PatchSiren cyber security CVE debrief
CVE-2021-47923 Exploit Db CVE debrief
CVE-2021-47923 describes a critical session fixation issue in OpenCart 3.0.3.8. According to the supplied record, an attacker can inject an arbitrary OCSESSID cookie value that the server accepts and continues to honor, enabling session takeover and unauthorized access to user accounts. The NVD record maps the weakness to CWE-290 and assigns a network-reachable, no-authentication, no-user-interaction impact profile.
- Vendor
- Exploit Db
- Product
- Unknown
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-10
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-10
- Advisory updated
- 2026-05-10
Who should care
OpenCart administrators, e-commerce operators, and security teams responsible for customer login/session handling should treat this as urgent. Any environment using affected OpenCart code or similar session-management behavior should be reviewed immediately, especially where authenticated customer accounts are exposed.
Technical summary
The supplied description states that OpenCart 3.0.3.8 accepts attacker-controlled OCSESSID cookie values and maintains them as valid sessions, which is consistent with session fixation (CWE-290). The NVD metadata indicates high impact across confidentiality, integrity, and availability, with network access, no privileges required, and no user interaction needed. The cited references include an Exploit-DB item, the OpenCart site, and a VulnCheck advisory, but the debrief here is limited to the facts present in the supplied corpus.
Defensive priority
Critical. The vulnerability is described as remotely exploitable without authentication or user interaction and can lead to full account session takeover.
Recommended defensive actions
- Verify whether any deployed OpenCart instances correspond to the affected 3.0.3.8 code path described in the record.
- Review the referenced VulnCheck advisory and associated disclosure references for remediation guidance.
- Apply the vendor's fixed release or mitigation as soon as a validated patch or upgrade path is available.
- Invalidate active sessions after remediation and force re-authentication for users with existing sessions.
- Audit session-handling behavior to ensure session IDs are regenerated at authentication and that attacker-supplied session identifiers are not accepted.
- Monitor for suspicious OCSESSID values or unusual persistence of session identifiers across login events.
Evidence notes
This debrief is based only on the supplied CVE description, NVD metadata, and the listed references. The source corpus identifies CWE-290 and a critical CVSS v4.0 vector indicating network exploitable, unauthenticated impact. The vendor field in the supplied data is marked low confidence and needs review, so no additional attribution is assumed beyond the cited references.
Official resources
Published in the supplied CVE record on 2026-05-10T13:16:28.170Z. The NVD record references an Exploit-DB disclosure, OpenCart's website, and a VulnCheck advisory. No KEV entry is present in the supplied data.