NodeJS/express-cart/1.0.1

A fully functioning Node.js shopping cart with Stripe, PayPal and Authorize.net payments.

https://www.npmjs.com/package/express-cart
MIT

11 Security Vulnerabilities

Privilege Escalation in express-cart

Published date: 2019-06-03T17:31:32Z
Links:

Versions of express-cart before 1.1.6 are vulnerable to privilege escalation. This vulnerability can be exploited so that normal users can escalate their privilege and add new administrator users.

Recommendation

Update to version 1.1.6 or later.

Affected versions: ["0.0.1-security", "1.0.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5"]
Secure versions: []

express-cart unrestricted file upload vulnerability

Published date: 2022-05-13T01:32:21Z
CVE: CVE-2018-3758
Links:

Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain access in the hosting machine.

Affected versions: ["0.0.1-security", "1.0.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.1.6"]
Secure versions: []

Path Traversal in express-cart

Published date: 2020-09-01T21:06:38Z
Links:

Versions of express-cart before 1.1.7 are vulnerable to Path Traversal.

Recommendation

Update to version 1.1.7 or later.

Affected versions: ["0.0.1-security", "1.0.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5"]
Secure versions: []

Cross-Site Scripting in express-cart

Published date: 2020-09-02T18:21:26Z
Links:

All versions of harp are vulnerable to Cross-Site Scripting. In the admin page it is possible to inject arbitrary JavaScript as a new product option, allowing attackers to execute arbitrary code. This is limited to the admin page and does not affect other pages.

Recommendation

No fix is currently available. Consider using an alternative module until a fix is made available.

Affected versions: ["0.0.1-security", "1.0.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.1.6", "1.1.7", "1.1.8", "1.1.9", "1.1.10", "1.1.11", "1.1.12", "1.1.13", "1.1.14", "1.1.15", "1.1.16", "1.1.17"]
Secure versions: []

NoSQL injection in express-cart

Published date: 2020-09-01T21:17:16Z
Links:

Versions of express-cart before 1.1.8 are vulnerable to NoSQL injection.

The vulnerability is caused by the lack of user input sanitization in the login handlers. In both cases, the customer login and the admin login, parameters from the JSON body are sent directly into the MongoDB query which allows to insert operators.

These operators can be used to extract the value of the field blindly in the same manner of a blind SQL injection. In this case, the $regex operator is used to guess each character of the token from the start.

Recommendation

Update to version 1.1.8 or later.

Affected versions: ["0.0.1-security", "1.0.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.1.6", "1.1.7"]
Secure versions: []

Cross-Site Request Forgery in express-cart

Published date: 2021-08-30T17:22:15Z
CVE: CVE-2020-22403
Links:

The express-cart package through 1.1.10 for Node.js allows CSRF.

Affected versions: ["0.0.1-security", "1.0.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.1.6", "1.1.7", "1.1.8", "1.1.9", "1.1.10", "1.1.11", "1.1.12", "1.1.13", "1.1.14", "1.1.15", "1.1.16"]
Secure versions: []

express-cart allows any user to create an admin user

Published date: 2022-05-13T01:49:36Z
CVE: CVE-2018-12457
Links:

Express-Cart before 1.1.6 allows remote attackers to create an admin user via an /admin/setup Referer header.

Affected versions: ["0.0.1-security", "1.0.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5"]
Secure versions: []

Authentication Bypass by Spoofing in express-cart

Published date: 2019-02-07T18:16:03Z
CVE: CVE-2018-16483
Links:

A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as administrators.

Affected versions: ["0.0.1-security", "1.0.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5"]
Secure versions: []

Path Traversal

Published date: 2018-06-02
CVEs: ["CVE-2018-3758"]
CVSS Score: 9.1
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Links:

Unrestricted file upload (RCE)

Affected versions: ["0.0.1-security", "1.0.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5"]
Secure versions: []
Recommendation: update express-cart to 1.1.7 or higher

Privilege Escalation

Published date: 2018-07-12
CVSS Score: 9.9
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Links:

Privilege escalation allows any user to add an administrator

Affected versions: ["0.0.1-security", "1.0.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5"]
Secure versions: []
Recommendation: Update express-cart module to version >1.1.5

NoSQL injection on express-cart

Published date: 1970-01-01
CVSS Score: 8.2
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Links:

[express-cart] Customer and admin email enumeration through MongoDB injection

Affected versions: ["0.0.1-security", "1.0.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.1.6", "1.1.7"]
Secure versions: []
Recommendation: Update express-cart module to version >=1.1.8

19 Other Versions

Version License Security Released
1.1.17 MIT 1 2020-03-20 - 05:16 about 4 years
1.1.16 MIT 2 2020-01-22 - 09:28 over 4 years
1.1.15 MIT 2 2019-12-18 - 07:12 over 4 years
1.1.14 MIT 2 2019-11-11 - 09:18 over 4 years
1.1.13 MIT 2 2019-10-26 - 06:51 over 4 years
1.1.12 MIT 2 2019-06-13 - 11:15 almost 5 years
1.1.11 MIT 2 2019-02-09 - 10:56 about 5 years
1.1.10 MIT 2 2018-10-05 - 11:59 over 5 years
1.1.9 MIT 2 2018-08-31 - 05:13 over 5 years
1.1.8 MIT 2 2018-08-31 - 03:31 over 5 years
1.1.7 MIT 4 2018-06-01 - 11:32 almost 6 years
1.1.6 MIT 5 2018-05-30 - 09:08 almost 6 years
1.1.5 MIT 11 2018-02-05 - 18:34 about 6 years
1.1.4 MIT 11 2018-02-05 - 18:26 about 6 years
1.1.3 ISC 11 2018-02-05 - 15:53 about 6 years
1.1.2 ISC 11 2018-02-03 - 19:20 about 6 years
1.1.1 MIT 11 2018-01-10 - 20:28 over 6 years
1.0.1 MIT 11 2018-01-09 - 21:09 over 6 years
0.0.1-security ISC 11 2016-07-11 - 17:31 almost 8 years