[nerdawson]

The researcher correctly pointed out that you don't have to be an admin in order to exploit this vulnerability.

The example given was "Sales" role users who should only ever have limited access to the admin panel.

> You are taking for granted that end users in the "admin" area are all admins, but it is not always true for other installations. I tested different versions of OpenCart for some clients I work for, where they created multiple "sales" users with different roles, which were not admins but only non-technical people with an account provided to update price info and products. Upset employees, phished users, XSS, etc. are all possibilities that make the exploitation feasible in this case and allow unauthorized users (the sales guys or whoever uses their account) to execute arbitrary commands on the server, which should never be the case with the roles they were provided.

[josephcsible]

It sounds to me like the sales users have full admin access, and just don't need most of the access that they have. If that's the case, then this still isn't a vulnerability, but I admit it would be one otherwise.

[nerdawson]

The reference to roles left me with the impression that these users had limited permissions but I know nothing about OpenCart so I may be mistaken.