A session fixation vulnerability in OpenCart enables attackers to hijack active user sessions, leading to unauthorized account access and potential data theft.

This is a session fixation vulnerability where an attacker can inject arbitrary values into the OCSESSID cookie. By forcing a specific session ID, the attacker can hijack the session of an unsuspecting user once they authenticate.

The CVSS score of 9.8 indicates the high severity of this session hijacking risk. Successful exploitation allows an attacker to impersonate legitimate users, including administrators, leading to unauthorized access to sensitive account information and backend system controls.

Immediate Action: Update OpenCart to the latest version and ensure that the application properly regenerates session IDs upon authentication.

Proactive Monitoring: Monitor server logs for abnormal session activity or multiple logins originating from different IP addresses using the same session cookie.

Compensating Controls: Implement strict session management policies, such as limiting the lifetime of session cookies and ensuring they are flagged as Secure and HttpOnly.

Public Exploit Available: Unknown

Session fixation remains a potent threat to web applications. Administrators are urged to update their OpenCart installations and audit session handling configurations to mitigate this risk.