Opencart Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Vulnerability - CVE-2018-11494

The quotprogram extension uploadquot feature in OpenCart through 3.0.2.0 has a six-step process (upload install unzip move xml remove) that allows attackers to execute arbitrary code if the remove step is skipped because the attacker can discover a secret temporary directory name (containing 10 random digits) via a directory traversal attack involving language_info39code39.