NodeJS/express-cart/1.1.7
A fully functioning Node.js shopping cart with Stripe, PayPal and Authorize.net payments.
https://www.npmjs.com/package/express-cart
MIT
4 Security Vulnerabilities
Cross-Site Scripting in express-cart
All versions of harp
are vulnerable to Cross-Site Scripting. In the admin page it is possible to inject arbitrary JavaScript as a new product option, allowing attackers to execute arbitrary code. This is limited to the admin page and does not affect other pages.
Recommendation
No fix is currently available. Consider using an alternative module until a fix is made available.
NoSQL injection in express-cart
Versions of express-cart
before 1.1.8 are vulnerable to NoSQL injection.
The vulnerability is caused by the lack of user input sanitization in the login handlers. In both cases, the customer login and the admin login, parameters from the JSON body are sent directly into the MongoDB query which allows to insert operators.
These operators can be used to extract the value of the field blindly in the same manner of a blind SQL injection. In this case, the $regex
operator is used to guess each character of the token from the start.
Recommendation
Update to version 1.1.8 or later.
Cross-Site Request Forgery in express-cart
- https://nvd.nist.gov/vuln/detail/CVE-2020-22403
- https://github.com/advisories/GHSA-h5q8-5697-9p9h
- https://github.com/mrvautin/expressCart/commit/cd3ba1bc609c2f2946bfbc7ee2fccf3483eb71fb
- https://hackerone.com/reports/395944
- https://www.npmjs.com/package/express-cart
- https://security.netapp.com/advisory/ntap-20210909-0004/
- https://github.com/mrvautin/expressCart/issues/120
The express-cart package through 1.1.10 for Node.js allows CSRF.
NoSQL injection on express-cart
[express-cart] Customer and admin email enumeration through MongoDB injection
19 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
1.1.1 | MIT | 11 | 2018-01-10 - 20:28 | over 6 years |
1.0.1 | MIT | 11 | 2018-01-09 - 21:09 | over 6 years |
1.1.7 | MIT | 4 | 2018-06-01 - 11:32 | almost 6 years |
1.1.13 | MIT | 2 | 2019-10-26 - 06:51 | over 4 years |
1.1.16 | MIT | 2 | 2020-01-22 - 09:28 | over 4 years |
1.1.4 | MIT | 11 | 2018-02-05 - 18:26 | about 6 years |
1.1.5 | MIT | 11 | 2018-02-05 - 18:34 | about 6 years |
1.1.6 | MIT | 5 | 2018-05-30 - 09:08 | almost 6 years |
1.1.17 | MIT | 1 | 2020-03-20 - 05:16 | about 4 years |
1.1.8 | MIT | 2 | 2018-08-31 - 03:31 | over 5 years |
1.1.9 | MIT | 2 | 2018-08-31 - 05:13 | over 5 years |
1.1.10 | MIT | 2 | 2018-10-05 - 11:59 | over 5 years |
1.1.11 | MIT | 2 | 2019-02-09 - 10:56 | about 5 years |
1.1.12 | MIT | 2 | 2019-06-13 - 11:15 | almost 5 years |
1.1.14 | MIT | 2 | 2019-11-11 - 09:18 | over 4 years |
1.1.15 | MIT | 2 | 2019-12-18 - 07:12 | over 4 years |
1.1.2 | ISC | 11 | 2018-02-03 - 19:20 | about 6 years |
0.0.1-security | ISC | 11 | 2016-07-11 - 17:31 | almost 8 years |
1.1.3 | ISC | 11 | 2018-02-05 - 15:53 | about 6 years |