NodeJS/express-cart/1.1.7

A fully functioning Node.js shopping cart with Stripe, PayPal and Authorize.net payments.

https://www.npmjs.com/package/express-cart
MIT

4 Security Vulnerabilities

Cross-Site Scripting in express-cart

Published date: 2020-09-02T18:21:26Z
Links:

All versions of harp are vulnerable to Cross-Site Scripting. In the admin page it is possible to inject arbitrary JavaScript as a new product option, allowing attackers to execute arbitrary code. This is limited to the admin page and does not affect other pages.

Recommendation

No fix is currently available. Consider using an alternative module until a fix is made available.

Affected versions: ["0.0.1-security", "1.0.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.1.6", "1.1.7", "1.1.8", "1.1.9", "1.1.10", "1.1.11", "1.1.12", "1.1.13", "1.1.14", "1.1.15", "1.1.16", "1.1.17"]
Secure versions: []

NoSQL injection in express-cart

Published date: 2020-09-01T21:17:16Z
Links:

Versions of express-cart before 1.1.8 are vulnerable to NoSQL injection.

The vulnerability is caused by the lack of user input sanitization in the login handlers. In both cases, the customer login and the admin login, parameters from the JSON body are sent directly into the MongoDB query which allows to insert operators.

These operators can be used to extract the value of the field blindly in the same manner of a blind SQL injection. In this case, the $regex operator is used to guess each character of the token from the start.

Recommendation

Update to version 1.1.8 or later.

Affected versions: ["0.0.1-security", "1.0.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.1.6", "1.1.7"]
Secure versions: []

Cross-Site Request Forgery in express-cart

Published date: 2021-08-30T17:22:15Z
CVE: CVE-2020-22403
Links:

The express-cart package through 1.1.10 for Node.js allows CSRF.

Affected versions: ["0.0.1-security", "1.0.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.1.6", "1.1.7", "1.1.8", "1.1.9", "1.1.10", "1.1.11", "1.1.12", "1.1.13", "1.1.14", "1.1.15", "1.1.16"]
Secure versions: []

NoSQL injection on express-cart

Published date: 1970-01-01
CVSS Score: 8.2
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Links:

[express-cart] Customer and admin email enumeration through MongoDB injection

Affected versions: ["0.0.1-security", "1.0.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.1.6", "1.1.7"]
Secure versions: []
Recommendation: Update express-cart module to version >=1.1.8

19 Other Versions

Version License Security Released
1.1.17 MIT 1 2020-03-20 - 05:16 about 4 years
1.1.16 MIT 2 2020-01-22 - 09:28 over 4 years
1.1.15 MIT 2 2019-12-18 - 07:12 over 4 years
1.1.14 MIT 2 2019-11-11 - 09:18 over 4 years
1.1.13 MIT 2 2019-10-26 - 06:51 over 4 years
1.1.12 MIT 2 2019-06-13 - 11:15 almost 5 years
1.1.11 MIT 2 2019-02-09 - 10:56 about 5 years
1.1.10 MIT 2 2018-10-05 - 11:59 over 5 years
1.1.9 MIT 2 2018-08-31 - 05:13 over 5 years
1.1.8 MIT 2 2018-08-31 - 03:31 over 5 years
1.1.7 MIT 4 2018-06-01 - 11:32 almost 6 years
1.1.6 MIT 5 2018-05-30 - 09:08 almost 6 years
1.1.5 MIT 11 2018-02-05 - 18:34 about 6 years
1.1.4 MIT 11 2018-02-05 - 18:26 about 6 years
1.1.3 ISC 11 2018-02-05 - 15:53 about 6 years
1.1.2 ISC 11 2018-02-03 - 19:20 about 6 years
1.1.1 MIT 11 2018-01-10 - 20:28 over 6 years
1.0.1 MIT 11 2018-01-09 - 21:09 over 6 years
0.0.1-security ISC 11 2016-07-11 - 17:31 almost 8 years