Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2021-47923 -- CVSS 9.8 Vulnerability Briefing

CVE-2021-47923 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2021-47923 is a session fixation vulnerability in OpenCart version 3.0.3.8, an open-source e-commerce platform, allowing unauthenticated attackers to hijack authenticated user sessions through manipulation of the OCSESSID cookie.

Technical Detail

The flaw exists because OpenCart 3.0.3.8 does not properly validate or regenerate session identifiers upon authentication, permitting an attacker to inject an arbitrary value into the OCSESSID cookie prior to a victim logging in. Once the victim authenticates using the attacker-controlled session token, the attacker can reuse that same token to assume the victim's authenticated session, effectively achieving session hijacking and unauthorized account access. Depending on the privilege level of the hijacked account, this could result in full administrative control over the OpenCart storefront, including access to customer data, order records, and backend configuration.

Exploitation Status

No known exploit code has been publicly documented for this vulnerability at this time, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. There is no confirmed evidence of active exploitation in the wild as of May 17, 2026. Despite the absence of a known exploit, the CVSS score of 9.8 reflects the low attack complexity and high impact potential, warranting prompt remediation regardless of current exploitation status.

Who Is Targeting This

No specific threat actor attribution has been confirmed for this vulnerability at this time. No campaigns, targeted sectors, or adversary groups have been linked to exploitation of CVE-2021-47923 in available intelligence reporting.

What To Do

Operators running OpenCart 3.0.3.8 should upgrade to the latest supported version of OpenCart immediately, as this version is known to contain this flaw and the CVSS score warrants high-priority patching. If an immediate upgrade is not feasible, administrators should enforce strict session management controls at the application or web server layer, including rejecting externally supplied session identifiers and invalidating sessions on any privilege change. Detection efforts should focus on monitoring for anomalous OCSESSID cookie values, particularly those set prior to authentication events, and reviewing access logs for session reuse patterns across distinct IP addresses or user agents. Administrators should also audit administrative accounts for unauthorized access and consider implementing multi-factor authentication on the OpenCart admin panel as a compensating control.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →