CVE-2014-3990

Name: CVE-2014-3990
Creator: NVD / NIST
Published: 2018-03-20T21:29:00.703+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 6.87%

Last modified Jun 17, 2026

CVE-2014-3990 is a vulnerability of currently unknown severity. The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitrary code via a crafted serialized PHP object, related to the quantity parameter in an update request.. EPSS estimates a 6.87% chance of exploitation in the next 30 days.

Description

The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitrary code via a crafted serialized PHP object, related to the quantity parameter in an update request.

Metrics

EPSS Probability

6.87%

93.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Opencart	Opencart	<= 1.5.6.4

References

http://karmainsecurity.com/KIS-2014-08Exploit, Third Party Advisory
http://packetstormsecurity.com/files/127460/OpenCart-1.5.6.4-PHP-Object-Injection.htmlExploit, Third Party Advisory, VDB Entry
http://seclists.org/fulldisclosure/2014/Jul/67Exploit, Mailing List, Third Party Advisory
http://www.securityfocus.com/archive/1/532763/100/0/threadedExploit, Third Party Advisory, VDB Entry
http://www.securityfocus.com/bid/68529Third Party Advisory, VDB Entry
https://github.com/opencart-ce/opencart-ce/commit/c2aafc823bd85876f5e888f8ebc421069a5e076fIssue Tracking, Patch, Third Party Advisory
http://karmainsecurity.com/KIS-2014-08Exploit, Third Party Advisory
http://packetstormsecurity.com/files/127460/OpenCart-1.5.6.4-PHP-Object-Injection.htmlExploit, Third Party Advisory, VDB Entry
http://seclists.org/fulldisclosure/2014/Jul/67Exploit, Mailing List, Third Party Advisory
http://www.securityfocus.com/archive/1/532763/100/0/threadedExploit, Third Party Advisory, VDB Entry
http://www.securityfocus.com/bid/68529Third Party Advisory, VDB Entry
https://github.com/opencart-ce/opencart-ce/commit/c2aafc823bd85876f5e888f8ebc421069a5e076fIssue Tracking, Patch, Third Party Advisory

Timeline

Published: Mar 20, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2014-3990?

How severe is CVE-2014-3990?

Severity scoring for CVE-2014-3990 is pending analysis. The EPSS model estimates a 6.87% probability of exploitation in the next 30 days.

How do I fix CVE-2014-3990?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2014-3990?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST