NodeJS/express-cart/1.1.4
A fully functioning Node.js shopping cart with Stripe, PayPal and Authorize.net payments.
https://www.npmjs.com/package/express-cart
MIT
11 Security Vulnerabilities
Privilege Escalation in express-cart
- https://github.com/mrvautin/expressCart/commit/baccaae9b0b72f00b10c5453ca00231340ad3e3b
- https://github.com/advisories/GHSA-3fc5-9x9m-vqc4
- https://www.npmjs.com/advisories/730
- https://hackerone.com/reports/343626
- https://github.com/nodejs/security-wg/blob/master/vuln/npm/469.json
- https://snyk.io/vuln/npm:express-cart:20180712
Versions of express-cart
before 1.1.6 are vulnerable to privilege escalation. This vulnerability can be exploited so that normal users can escalate their privilege and add new administrator users.
Recommendation
Update to version 1.1.6 or later.
express-cart unrestricted file upload vulnerability
Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain access in the hosting machine.
Path Traversal in express-cart
Versions of express-cart
before 1.1.7 are vulnerable to Path Traversal.
Recommendation
Update to version 1.1.7 or later.
Cross-Site Scripting in express-cart
All versions of harp
are vulnerable to Cross-Site Scripting. In the admin page it is possible to inject arbitrary JavaScript as a new product option, allowing attackers to execute arbitrary code. This is limited to the admin page and does not affect other pages.
Recommendation
No fix is currently available. Consider using an alternative module until a fix is made available.
NoSQL injection in express-cart
Versions of express-cart
before 1.1.8 are vulnerable to NoSQL injection.
The vulnerability is caused by the lack of user input sanitization in the login handlers. In both cases, the customer login and the admin login, parameters from the JSON body are sent directly into the MongoDB query which allows to insert operators.
These operators can be used to extract the value of the field blindly in the same manner of a blind SQL injection. In this case, the $regex
operator is used to guess each character of the token from the start.
Recommendation
Update to version 1.1.8 or later.
Cross-Site Request Forgery in express-cart
- https://nvd.nist.gov/vuln/detail/CVE-2020-22403
- https://github.com/advisories/GHSA-h5q8-5697-9p9h
- https://github.com/mrvautin/expressCart/commit/cd3ba1bc609c2f2946bfbc7ee2fccf3483eb71fb
- https://hackerone.com/reports/395944
- https://www.npmjs.com/package/express-cart
- https://security.netapp.com/advisory/ntap-20210909-0004/
- https://github.com/mrvautin/expressCart/issues/120
The express-cart package through 1.1.10 for Node.js allows CSRF.
express-cart allows any user to create an admin user
Express-Cart before 1.1.6 allows remote attackers to create an admin user via an /admin/setup
Referer header.
Authentication Bypass by Spoofing in express-cart
A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as administrators.
Path Traversal
Unrestricted file upload (RCE)
Privilege Escalation
Privilege escalation allows any user to add an administrator
NoSQL injection on express-cart
[express-cart] Customer and admin email enumeration through MongoDB injection
19 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
1.1.17 | MIT | 1 | 2020-03-20 - 05:16 | about 4 years |
1.1.16 | MIT | 2 | 2020-01-22 - 09:28 | over 4 years |
1.1.15 | MIT | 2 | 2019-12-18 - 07:12 | over 4 years |
1.1.14 | MIT | 2 | 2019-11-11 - 09:18 | over 4 years |
1.1.13 | MIT | 2 | 2019-10-26 - 06:51 | over 4 years |
1.1.12 | MIT | 2 | 2019-06-13 - 11:15 | almost 5 years |
1.1.11 | MIT | 2 | 2019-02-09 - 10:56 | about 5 years |
1.1.10 | MIT | 2 | 2018-10-05 - 11:59 | over 5 years |
1.1.9 | MIT | 2 | 2018-08-31 - 05:13 | over 5 years |
1.1.8 | MIT | 2 | 2018-08-31 - 03:31 | over 5 years |
1.1.7 | MIT | 4 | 2018-06-01 - 11:32 | almost 6 years |
1.1.6 | MIT | 5 | 2018-05-30 - 09:08 | almost 6 years |
1.1.5 | MIT | 11 | 2018-02-05 - 18:34 | about 6 years |
1.1.4 | MIT | 11 | 2018-02-05 - 18:26 | about 6 years |
1.1.3 | ISC | 11 | 2018-02-05 - 15:53 | about 6 years |
1.1.2 | ISC | 11 | 2018-02-03 - 19:20 | about 6 years |
1.1.1 | MIT | 11 | 2018-01-10 - 20:28 | over 6 years |
1.0.1 | MIT | 11 | 2018-01-09 - 21:09 | over 6 years |
0.0.1-security | ISC | 11 | 2016-07-11 - 17:31 | almost 8 years |