So the "vulnerability" requires the attacker to already have admin privileges? Then the OpenCart maintainer is right, and the reporters and this article are wrong.
The researcher correctly pointed out that you don't have to be an admin in order to exploit this vulnerability.
The example given was "Sales" role users who should only ever have limited access to the admin panel.
> You are taking for granted that end users in the "admin" area are all admins, but it is not always true for other installations. I tested different versions of OpenCart for some clients I work for, where they created multiple "sales" users with different roles, which were not admins but only non-technical people with an account provided to update price info and products. Upset employees, phished users, XSS, etc. are all possibilities that make the exploitation feasible in this case and allow unauthorized users (the sales guys or whoever uses their account) to execute arbitrary commands on the server, which should never be the case with the roles they were provided.
It sounds to me like the sales users have full admin access, and just don't need most of the access that they have. If that's the case, then this still isn't a vulnerability, but I admit it would be one otherwise.
But then that would be the vulnerability that needs to be fixed, not this one. That's like saying it's a vulnerability that root can make systemwide changes, since there could be another vulnerability that lets users escalate to root.
Readit News
The example given was "Sales" role users who should only ever have limited access to the admin panel.
> You are taking for granted that end users in the "admin" area are all admins, but it is not always true for other installations. I tested different versions of OpenCart for some clients I work for, where they created multiple "sales" users with different roles, which were not admins but only non-technical people with an account provided to update price info and products. Upset employees, phished users, XSS, etc. are all possibilities that make the exploitation feasible in this case and allow unauthorized users (the sales guys or whoever uses their account) to execute arbitrary commands on the server, which should never be the case with the roles they were provided.