December 2024

I found a SQLi vulnerability in the TMD Custom Header Menu OpenCart module.

The CVSS score for this is lower than some of the other SQLi vulnerabilities I found in OpenCart modules, because the vulnerable code is only accessible by authenticated (admin) users.

The maintainers acknowledged the report and fixed this quickly.

Details: https://gist.github.com/mcdruid/ff4f29f4e7830e9e91988c7195d77039

This was assigned CVE-2025-0214