cbcvebase.

Express-Cart Project Express-Cart vulnerabilities

5 known vulnerabilities affecting express-cart_project/express-cart.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH4MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2018-3758P2HIGHCVSS 8.8fixed in 1.1.72018-06-07
CVE-2018-3758 [HIGH] CWE-22 CVE-2018-3758: Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain access in the hosting machine.
ghsanvdosv
CVE-2018-16483P3HIGHCVSS 8.8≤ 1.1.52019-02-01
CVE-2018-16483 [HIGH] CWE-290 CVE-2018-16483: A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add n A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as administrators.
ghsanvdosv
CVE-2018-12457P3HIGH≥ 0, < 1.1.62022-05-13
CVE-2018-12457 [HIGH] CWE-732 express-cart allows any user to create an admin user express-cart allows any user to create an admin user Express-Cart before 1.1.6 allows remote attackers to create an admin user via an `/admin/setup` Referer header.
ghsaosv
CVE-2020-22403P4HIGHCVSS 8.8≤ 1.1.102021-08-12
CVE-2020-22403 [HIGH] CWE-352 CVE-2020-22403: Cross Site Request Forgery (CSRF) vulnerability in Express cart v1.1.16 allows attackers to add an a Cross Site Request Forgery (CSRF) vulnerability in Express cart v1.1.16 allows attackers to add an administrator account, add discount code or other unspecified impacts.
ghsanvdosv
CVE-2021-32573P4MEDIUMCVSS 4.8≤ 1.1.102021-05-11
CVE-2021-32573 [MEDIUM] CWE-79 CVE-2021-32573: The express-cart package through 1.1.10 for Node.js allows Reflected XSS (for an admin) via a user i The express-cart package through 1.1.10 for Node.js allows Reflected XSS (for an admin) via a user input field for product options. NOTE: the vendor states that this "would rely on an admin hacking his/her own website.
nvd
Express-Cart Project Express-Cart vulnerabilities | cvebase