express-cart
npm4 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting express-cartpage 1 of 1
- CVE-2018-12457HIGHCVSS 8.8EG 8.8✓ Fixed in 1.1.62018-06-15
expressCart before 1.1.6 allows remote attackers to create an admin user via a /admin/setup Referer header.
- CVE-2018-16483HIGHCVSS 8.8EG 8.8✓ Fixed in 1.1.62019-02-01
A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as administrators.
- CVE-2018-3758HIGHCVSS 8.8EG 8.8✓ Fixed in 1.1.72018-06-07
Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain access in the hosting machine.
- CVE-2020-22403HIGHCVSS 8.8EG 8.8✓ Fixed in 1.1.172021-08-12
Cross Site Request Forgery (CSRF) vulnerability in Express cart v1.1.16 allows attackers to add an administrator account, add discount code or other unspecified impacts.
Check whether express-cart is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for express-cart CVEs against the assets you own.
Start Free Scan →