CVE-2025-1747: 
OpenCart vulnerability analysis and mitigation

HTML injection vulnerability (CVE-2025-1747) affects OpenCart versions prior to 4.1.0. The vulnerability was discovered and disclosed on February 28, 2025, by the Spanish National Cybersecurity Institute (INCIBE). This security flaw specifically impacts the account login functionality of OpenCart, an open-source eCommerce platform (INCIBE Alert, NVD).

The vulnerability allows an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in the /account/login endpoint. The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N. It is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (INCIBE Alert).

When exploited, the vulnerability allows attackers to modify the HTML content displayed in the victim's browser, potentially leading to user interface manipulation and compromised user experience. The impact is limited to HTML modification without direct data theft capabilities (INCIBE Alert).

The vulnerability has been patched in OpenCart version 4.1.0. Users are advised to upgrade to this version or later to mitigate the risk. No alternative workarounds have been published (INCIBE Alert).