npm package

mongo-express

pkg:npm/mongo-express

Vulnerabilities (4)

CVE	CVSS	KEV	Affected versions	Fixed in	Published	Description
CVE-2023-52555	—		<= 1.0.2	—	Mar 1, 2024	In mongo-express 1.0.2, /admin allows CSRF, as demonstrated by deletion of a Collection.
CVE-2021-21422	—		< 1.0.0-alpha.4	1.0.0-alpha.4	Jun 21, 2021	mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document
CVE-2021-23372	—		<= 0.54.0	—	Apr 13, 2021	All versions of package mongo-express are vulnerable to Denial of Service (DoS) when exporting an empty collection as CSV, due to an unhandled exception, leading to a crash.
CVE-2019-10758	—	KEV	< 0.54.0	0.54.0	Dec 24, 2019	mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.

CVE-2023-52555Mar 1, 2024
affected <= 1.0.2
In mongo-express 1.0.2, /admin allows CSRF, as demonstrated by deletion of a Collection.
CVE-2021-21422Jun 21, 2021
affected < 1.0.0-alpha.4fixed 1.0.0-alpha.4
mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document
CVE-2021-23372Apr 13, 2021
affected <= 0.54.0
All versions of package mongo-express are vulnerable to Denial of Service (DoS) when exporting an empty collection as CSV, due to an unhandled exception, leading to a crash.
CVE-2019-10758KEVDec 24, 2019
affected < 0.54.0fixed 0.54.0
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.