CVE-2020-20491: 
OpenCart vulnerability analysis and mitigation

SQL injection vulnerability was discovered in OpenCart versions 2.2.00 through 3.0.3.2. The vulnerability exists in the Fba plugin function within the upload/admin/index.php file, allowing remote attackers to execute arbitrary code (NVD, CVE). The vulnerability was published on June 20, 2023, and has been assigned a CVSS v3.1 base score of 7.2 (HIGH).

The vulnerability is classified as SQL Injection (CWE-89) and affects the OpenBay Pro extension's Fulfillment by Amazon (FBA) plugin functionality. The issue specifically occurs in the orderList function when processing user input parameters. The vulnerability has been assigned a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high privileges required (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary SQL commands on the underlying database. This could potentially lead to unauthorized access to sensitive data, manipulation of database contents, and possible system compromise. The high CVSS score reflects the significant potential impact on the system's confidentiality, integrity, and availability (NVD).

Users running affected versions of OpenCart (v2.2.00 through 3.0.3.2) should upgrade to a patched version if available. If immediate upgrade is not possible, it is recommended to disable the Fulfillment by Amazon (FBA) plugin functionality until the vulnerability can be addressed (NVD).