Opencart Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Vulnerability - CVE-2018-11495
OpenCart through 3.0.2.0 allows directory traversal in the editDownload function in adminmodelcatalogdownload.php via admin/index.phproutecatalog/download/edit related to the download_id. For example an attacker can download ../../config.php.