CVE-2020-10596: 
PHP vulnerability analysis and mitigation

OpenCart version 3.0.3.2 was found to contain a Cross-Site Scripting (XSS) vulnerability that affects authenticated users in the admin panel. The vulnerability was discovered and disclosed on January 9, 2020, allowing remote authenticated users to conduct XSS attacks through the users' image upload section (NVD, GitHub Issue).

The vulnerability exists in the image upload functionality within the admin panel's user management section. The application fails to properly sanitize filenames containing malicious scripts, allowing the execution of arbitrary JavaScript code. The issue specifically occurs when uploading user profile images, where the application accepts and stores filenames containing HTML tags and special characters without proper escaping (GitHub Issue).

When successfully exploited, this vulnerability allows attackers to inject malicious scripts that execute in the admin dashboard context. The injected scripts can be used to steal sensitive information including cookies, capture keystrokes, and access account information. The persistent nature of this XSS means the malicious code executes each time someone visits the Image manager section (GitHub Issue).

The recommended mitigation involves implementing proper input validation and sanitization for file names, extensions, and headers before processing them. The application should escape HTML tags and special characters to prevent code execution. It's worth noting that while XSS filtering was implemented in other sections of the application, this particular vector was overlooked in the file upload functionality (GitHub Issue).