npm package
express-cart
pkg:npm/express-cart
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-22403 | — | < 1.1.17 | 1.1.17 | Aug 12, 2021 | Cross Site Request Forgery (CSRF) vulnerability in Express cart v1.1.16 allows attackers to add an administrator account, add discount code or other unspecified impacts. | ||
| CVE-2018-16483 | — | < 1.1.6 | 1.1.6 | Feb 1, 2019 | A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as administrators. | ||
| CVE-2018-12457 | Hig | 8.8 | < 1.1.6 | 1.1.6 | Jun 15, 2018 | expressCart before 1.1.6 allows remote attackers to create an admin user via a /admin/setup Referer header. | |
| CVE-2018-3758 | Hig | 8.8 | < 1.1.7 | 1.1.7 | Jun 7, 2018 | Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain access in the hosting machine. |
- CVE-2020-22403Aug 12, 2021affected < 1.1.17fixed 1.1.17
Cross Site Request Forgery (CSRF) vulnerability in Express cart v1.1.16 allows attackers to add an administrator account, add discount code or other unspecified impacts.
- CVE-2018-16483Feb 1, 2019affected < 1.1.6fixed 1.1.6
A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as administrators.
- affected < 1.1.6fixed 1.1.6
expressCart before 1.1.6 allows remote attackers to create an admin user via a /admin/setup Referer header.
- affected < 1.1.7fixed 1.1.7
Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain access in the hosting machine.