cbcvebase.

Mongo-Express Project Mongo-Express vulnerabilities

5 known vulnerabilities affecting mongo-express_project/mongo-express.

Total CVEs
5
CISA KEV
1
actively exploited
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL2MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2019-10758P1CRITICALCVSS 9.9KEVPoCfixed in 0.54.0vAll versions prior to version 0.54.02019-12-24
CVE-2019-10758 [CRITICAL] CWE-94 CVE-2019-10758: mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBS mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.
ghsanvdosv
CVE-2020-24391P2CRITICALCVSS 9.8PoC≤ 0.54.02021-03-30
CVE-2020-24391 [CRITICAL] CVE-2020-24391: mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsa mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way. NOTE: this may overlap CVE-2019-10769.
nvd
CVE-2021-23372P4MEDIUM≥ 0, ≤ 0.54.02021-10-06
CVE-2021-23372 [MEDIUM] CWE-754 Denial of Service (DoS) in mongo-express Denial of Service (DoS) in mongo-express All versions of package mongo-express are vulnerable to Denial of Service (DoS) when exporting an empty collection as CSV, due to an unhandled exception, leading to a crash.
ghsaosv
CVE-2021-21422P4MEDIUMCVSS 6.1≤ 0.54.0v1.0.02021-06-21
CVE-2021-21422 [MEDIUM] CWE-79 CVE-2021-21422: mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentio mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however this needs admin interaction on cell. 2: Data cells
ghsanvdosv
CVE-2023-52555P4MEDIUMCVSS 6.1v1.0.22024-03-01
CVE-2023-52555 [MEDIUM] CWE-352 CVE-2023-52555: In mongo-express 1.0.2, /admin allows CSRF, as demonstrated by deletion of a Collection. In mongo-express 1.0.2, /admin allows CSRF, as demonstrated by deletion of a Collection.
ghsanvdosv
Mongo-Express Project Mongo-Express vulnerabilities | cvebase